The CSP module is the largest part of Helmet

This post is aimed at people that have some familiarity with my Helmet Node.js module.

Helmet is a Node.js module that helps you secure your Express applications by setting various HTTP headers. It sets headers like X-Frame-Options to help prevent a kind of attack called "clickjacking" or X-XSS-Filter as a basic protection against cross-site scripting attacks. If you're writing an Express app (or a Connect or Koa app), I hope you'll give it a look!

The bulk of the module is pretty straightforward: just set nine HTTP headers. Some of the headers are set every time no matter what, while others have a small amount of logic associated with them. Eight of them are simple and one of them is a beast: the Content Security Policy (CSP) module. I'll spend this post talking about why that module is so much bigger than the rest.

Expect this to be boring.


I certainly feel like the CSP part of Helmet is the biggest. I spend the most time working on it and it's the hardest to wrap my head around. But how much bigger is it?

cloc is a cool program that counts lines of code. I used it to see which module was the biggest, and made sure to exclude node_modules, package.json, and test files. To see how big each module was, I ran this command in each directory:

cloc --quiet --exclude-dir=node_modules,test --not-match-f='package\.json' --include-lang=Javascript,JSON .

It gave me the following stats:

You can think of it this way:

  • CSP code: 223 lines
  • everything else combined: 226 lines

Why is it so big?

In short, the size of the CSP module comes from browser sniffing.

Every browser supports a slightly different variation of Content Security Policy (or don't support it at all). The simplest example is the name of the header. Newer browsers call the header Content-Security-Policy and older ones choose X-Content-Security-Policy or X-WebKit-CSP. There are loads of other browser differences that are much more difficult to deal with.

The CSP module has to inspect user agents to figure out what headers to set and how to set them. This is a nightmare. Without browser sniffing, this module would probably be about 30 lines; with browser sniffing, it's almost 200!

In my opinion, that's the real differentiator of Helmet. The rest of the library could be rewritten from scratch in a pretty short amount of time, but the amount of code and research that went into CSP-related browser quirks is pretty unique. It's the most frustrating to deal with, but it's the most important!

Vim's :x command

In short: Vim has :x which is basically the same as :wq but slightly less typing.

The first time I opened Vim, it was an accident. In a mad panic, I started smashing keys. What was this wretched program? Soon, Vim presented me with a message telling me to type :quit to exit Vim. This was the first Vim command I ever learned.

After spending more time with Vim, I learned the :q shorthand. This is an example of Vim users' hatred of the extra keystroke. Instead of typing :write and then :quit to save and quit, you can type :wq.

Most Vim users I've met know about :wq, but a big slew of people (including me, until recently) don't know they can trim a keystroke with the (nearly) equivalent :x command. To quote Vim's documentation on the command:

Like :wq, but write only when changes have been made.

I use :x instead of :wq every time and haven't encountered a problem—it's rare that you need to update the modification time of a file with no other changes.

This has saved me thousands of keystrokes throughout my Vim career. I thought it was worth sharing with the world!

Only customize where you are unusual

In an article about GitHub's tech stack:

We don't need to reinvent the wheel, we don't need to write our own databases, we don't need to start writing our own frameworks—because they're all in domains that are usual. It's a website, it's web hosting. In the domains that are unusual, we fully embrace the need to write custom applications or build bespoke apps for that.

Gender breakdowns in Super Smash Brothers

I am not the biggest Super Smash Brothers fan, but I'm a big one. I've owned every game, watched the documentary, and embarrassed myself in front of non-nerds. I'm not a hardcore smasher, but I really enjoy the series.

I was curious: how many of the characters are female? I'd hardly call this a "big data" problem, but I took a crack at it.

First, I took a look at the character counts; how many characters are there per game?

Character counts graph

Based on this, there are an average of 15 new characters per game, and if that trend continues, the next game will have 65 characters! A second-order polynomial curve of best fit gives an estimate of 61.25 characters. I've found myself overwhelmed by the latest game's offering of 50 characters; what will a number in the 60s feel like?

Next, I split characters into four groups: unambiguously male (henceforth referred to as "male"), unambiguously female (henceforth referred to as "female"), androgynous (like Pokémon), and characters whose gender you could choose (like Villager). There are more males in the series than any of the other groups combined:

Gender breakdown for all games

This looks a bit bleak. Perhaps things have been getting better over the years? If you break things down by game, though, it's unclear what's going on:

Gender breakdown by game

You see a different trend depending on what numbers you look at. On one hand, the number of female characters increased from 1 to 8 and the number of "choose" characters increased from 0 to 5. On the other hand, the first game was 75% male, Melee was 65% male, Brawl was back up to 76%, and Smash 4 was 62% male. It's hard to see a strong positive trend.

Nintendo should rename the game to "Smash" and have more diverse characters!


I made a number of assumptions while going through this data. Unless you're quite interested in the minute details of this post, I'd skip this:

  • I didn't include any of Smash 4's DLC characters.
  • Duck Hunt: The Smash Wiki entry says that the off-screen hunter "is supposed to represent the player" and therefore varies with gender, so I placed Duck Hunt in the androgynous category. The dog is male, so you could argue that I mis-categorized.
  • Ice Climbers: players can choose which character is controlled, so I placed Ice Climbers in the "choose" category. This could be in the androgynous category, or its very own category.
  • Pokémon: while some Pokémon are considered masculine or feminine by some, their genders are unspecified in the Smash games.
  • Pokémon Trainer: I counted Brawl's Pokémon Trainer as one male character, but one could consider this three androgynous characters.
  • R.O.B.: I didn't think R.O.B. had a gender but the SmashWiki says he's male.
  • Rosalina & Luma: I sorted the pair as "female", but one could debate that the Luma is male and should be sorted elsewhere.
  • Sheik: There's debate about Sheik's gender. I chose Sheik to be female throughout this post because the Smash series refers to Sheik as female, but there are plenty of interpretations, all of which are probably offensive to somebody. I apologize to anyone offended by this choice.
  • I didn't include data from the Project M fan mod.

I wrote some code, made some CSVs, and used Apple's Numbers program when writing this post. You can find all of those files here.

Programming languages and their ecosystems

There was an article called "Ruby is defined by terrible tools". I haven't enough Ruby experience to know whether its thesis is true, but one quote really stuck out for me:

Programming languages cannot be considered separately from their ecosystems.

I totally agree with this, almost to the point where the language itself is secondary to the tools. "Softer" things can go a long way to making a language good to work with: package management; documentation; tooling; community.

Personally, I feel this way about Node. I don't find JavaScript a pleasure to work with, but the Node ecosystem is solid.