mirror of
https://github.com/kevinveenbirkenbach/computer-playbook.git
synced 2025-10-09 18:28:10 +02:00
Kevin Veen-Birkenbach
4d9890406e
Updated README to reflect correct usage with '--', adjusted script.py to always append separator, and simplified task template handling for consistency. Ref: https://chatgpt.com/share/68dfc69b-7c94-800f-871b-3525deb8e374
1.9 KiB
1.9 KiB
Health CSP Crawler
Description
This Ansible role automates the validation of Content Security Policy (CSP) enforcement for all configured domains by crawling them using a CSP Checker.
Overview
Designed for Archlinux systems, this role periodically checks whether web resources (JavaScript, fonts, images, etc.) are blocked by CSP headers. It integrates Python and Node.js tooling and installs a systemd service with timer support.
Features
- CSP Resource Validation: Uses Puppeteer to simulate browser requests and detect blocked resources.
- Domain Extraction: Parses all
.conffiles in the NGINX config folder to determine the list of domains to check. - Automated Execution: Registers a systemd service and timer for recurring health checks.
- Error Notification: Integrates with
sys-ctl-alm-composefor alerting on failure. - Ignore List Support: Optional variable to suppress network block reports from specific external domains.
Configuration
Variables
HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM(list, default:[])
Optional list of domains whose network block failures (e.g., ORB) should be ignored during CSP checks.
Example:
HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM:
- pxscdn.com
- cdn.example.org
This will run the CSP checker with:
checkcsp start --short --ignore-network-blocks-from pxscdn.com -- cdn.example.org <domains...>
Systemd Integration
The role configures a systemd service and timer which executes the CSP crawler periodically against all NGINX domains.
License
Infinito.Nexus NonCommercial License https://s.infinito.nexus/license
Author
Kevin Veen-Birkenbach Consulting & Coaching Solutions https://www.veen.world