diff --git a/roles/sys-ctl-hlth-csp/README.md b/roles/sys-ctl-hlth-csp/README.md
index 6c3cc1dd..d5fa07f7 100644
--- a/roles/sys-ctl-hlth-csp/README.md
+++ b/roles/sys-ctl-hlth-csp/README.md
@@ -14,6 +14,32 @@ Designed for Archlinux systems, this role periodically checks whether web resour
 - **Domain Extraction:** Parses all `.conf` files in the NGINX config folder to determine the list of domains to check.
 - **Automated Execution:** Registers a systemd service and timer for recurring health checks.
 - **Error Notification:** Integrates with `sys-ctl-alm-compose` for alerting on failure.
+- **Ignore List Support:** Optional variable to suppress network block reports from specific external domains.
+
+## Configuration
+
+### Variables
+
+- **`HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM`** (list, default: `[]`)  
+  Optional list of domains whose network block failures (e.g., ORB) should be ignored during CSP checks.
+
+Example:
+
+```yaml
+HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM:
+  - pxscdn.com
+  - cdn.example.org
+```
+
+This will run the CSP checker with:
+
+```bash
+checkcsp start --short --ignore-network-blocks-from pxscdn.com cdn.example.org <domains...>
+```
+
+### Systemd Integration
+
+The role configures a systemd service and timer which executes the CSP crawler periodically against all NGINX domains.
 
 ## License
 
@@ -24,4 +50,4 @@ Infinito.Nexus NonCommercial License
 
 Kevin Veen-Birkenbach
 Consulting & Coaching Solutions
-[https://www.veen.world](https://www.veen.world)
\ No newline at end of file
+[https://www.veen.world](https://www.veen.world)
diff --git a/roles/sys-ctl-hlth-csp/defaults/main.yml b/roles/sys-ctl-hlth-csp/defaults/main.yml
new file mode 100644
index 00000000..3d32f135
--- /dev/null
+++ b/roles/sys-ctl-hlth-csp/defaults/main.yml
@@ -0,0 +1,5 @@
+# List of domains whose network block failures (e.g., ORB) should be ignored
+# during CSP checks. This is useful for suppressing known external resources
+# (e.g., third-party CDNs) that cannot be influenced but otherwise cause
+# unnecessary alerts in the crawler reports.
+HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM: []
diff --git a/roles/sys-ctl-hlth-csp/files/script.py b/roles/sys-ctl-hlth-csp/files/script.py
index dcd032c1..94b3d626 100644
--- a/roles/sys-ctl-hlth-csp/files/script.py
+++ b/roles/sys-ctl-hlth-csp/files/script.py
@@ -21,11 +21,19 @@ def extract_domains(config_path):
         print(f"Directory {config_path} not found.", file=sys.stderr)
         return None
 
-def run_checkcsp(domains):
+def run_checkcsp(domains, ignore_network_blocks_from):
     """
-    Executes the 'checkcsp' command with the given domains.
+    Executes the 'checkcsp' command with the given domains and optional ignores.
     """
-    cmd = ["checkcsp", "start", "--short"] + domains
+    cmd = ["checkcsp", "start", "--short"]
+
+    # pass through ignore list only if not empty
+    if ignore_network_blocks_from:
+        cmd.append("--ignore-network-blocks-from")
+        cmd.extend(ignore_network_blocks_from)
+
+    cmd += domains
+
     try:
         result = subprocess.run(cmd, check=True)
         return result.returncode
@@ -45,6 +53,12 @@ def main():
         required=True,
         help="Directory containing NGINX .conf files"
     )
+    parser.add_argument(
+        "--ignore-network-blocks-from",
+        nargs="*",
+        default=[],
+        help="Optional: one or more domains whose network block failures should be ignored"
+    )
     args = parser.parse_args()
 
     domains = extract_domains(args.nginx_config_dir)
@@ -55,7 +69,7 @@ def main():
         print("No domains found to check.")
         sys.exit(0)
 
-    rc = run_checkcsp(domains)
+    rc = run_checkcsp(domains, args.ignore_network_blocks_from)
     sys.exit(rc)
 
 if __name__ == "__main__":
diff --git a/roles/sys-ctl-hlth-csp/tasks/01_core.yml b/roles/sys-ctl-hlth-csp/tasks/01_core.yml
index 2c63aca9..78a4d19c 100644
--- a/roles/sys-ctl-hlth-csp/tasks/01_core.yml
+++ b/roles/sys-ctl-hlth-csp/tasks/01_core.yml
@@ -18,6 +18,11 @@
     system_service_timer_enabled:         true
     system_service_tpl_on_failure:        "{{ SYS_SERVICE_ON_FAILURE_COMPOSE }}"
     system_service_tpl_timeout_start_sec: "{{ CURRENT_PLAY_DOMAINS_ALL | timeout_start_sec_for_domains }}"
-    system_service_tpl_exec_start:        "{{ system_service_script_exec }} --nginx-config-dir={{ NGINX.DIRECTORIES.HTTP.SERVERS }}"
+    system_service_tpl_exec_start: >-
+      {{ system_service_script_exec }}
+      --nginx-config-dir={{ NGINX.DIRECTORIES.HTTP.SERVERS }}
+      {%- if HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM | length > 0 -%}
+      --ignore-network-blocks-from {{ HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM | join(' ') }}
+      {%- endif -%}
 
 - include_tasks: utils/run_once.yml