diff --git a/roles/sys-ctl-hlth-csp/README.md b/roles/sys-ctl-hlth-csp/README.md
index d5fa07f7..61bafaf8 100644
--- a/roles/sys-ctl-hlth-csp/README.md
+++ b/roles/sys-ctl-hlth-csp/README.md
@@ -34,7 +34,7 @@ HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM:
 This will run the CSP checker with:
 
 ```bash
-checkcsp start --short --ignore-network-blocks-from pxscdn.com cdn.example.org <domains...>
+checkcsp start --short --ignore-network-blocks-from pxscdn.com -- cdn.example.org <domains...>
 ```
 
 ### Systemd Integration
diff --git a/roles/sys-ctl-hlth-csp/files/script.py b/roles/sys-ctl-hlth-csp/files/script.py
index 94b3d626..6f7deba9 100644
--- a/roles/sys-ctl-hlth-csp/files/script.py
+++ b/roles/sys-ctl-hlth-csp/files/script.py
@@ -31,6 +31,7 @@ def run_checkcsp(domains, ignore_network_blocks_from):
     if ignore_network_blocks_from:
         cmd.append("--ignore-network-blocks-from")
         cmd.extend(ignore_network_blocks_from)
+        cmd.append("--")
 
     cmd += domains
 
diff --git a/roles/sys-ctl-hlth-csp/tasks/01_core.yml b/roles/sys-ctl-hlth-csp/tasks/01_core.yml
index 78a4d19c..acb4f36b 100644
--- a/roles/sys-ctl-hlth-csp/tasks/01_core.yml
+++ b/roles/sys-ctl-hlth-csp/tasks/01_core.yml
@@ -21,8 +21,6 @@
     system_service_tpl_exec_start: >-
       {{ system_service_script_exec }}
       --nginx-config-dir={{ NGINX.DIRECTORIES.HTTP.SERVERS }}
-      {%- if HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM | length > 0 -%}
       --ignore-network-blocks-from {{ HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM | join(' ') }}
-      {%- endif -%}
 
 - include_tasks: utils/run_once.yml