Once upon a time, I served all the static content base64-xored with a session key on the backend, and decrypted the content on the front-end with JS.