A small Go web service that runs CSP checks using a real browser engine (Playwright) and stores profiles + run history in SQLite.
This project exists to avoid confusion when using a regular browser with DevTools: console output can mix messages from extensions, other tabs, or background pages, and CSP diagnostics are not always easy to filter or configure correctly. This service isolates each URL check and captures only CSP violations for that page.
- Go 1.21+ (for building from source)
- Node.js 18+ (runtime for Playwright)
From the project root:
npm init -y
npm i playwright
npx playwright install chromiumIf you already have a package.json, you can skip npm init -y.
go mod tidy
go build -o csp-web
./csp-webOr run directly:
go run .Open http://127.0.0.1:8080.
Debian/Ubuntu:
sudo dpkg -i csp-web-checker-golang_<version>_amd64.debRHEL/Rocky/Alma/Fedora:
sudo rpm -Uvh csp-web-checker-golang_<version>_x86_64.rpmThis creates the system user csp-check, installs the service unit, and writes defaults to /etc/default/csp-web.
- Install Node.js via tarball (no apt).
- Install Playwright OS dependencies via apt.
- Install Playwright under
/var/lib/csp-webforcsp-check. - Ensure
PATH,NODE_PATH,HOME, andPLAYWRIGHT_BROWSERS_PATHare set in/etc/default/csp-web. - Restart the service.
Install Node.js 18+ from your distro or NodeSource. Example (Debian/Ubuntu):
curl -fsSL https://deb.nodesource.com/setup_18.x | sudo -E bash -
sudo apt-get install -y nodejsIf you prefer a tarball install (no apt), you can use:
sudo mkdir -p /opt/node
cd /tmp
NODE_VERSION=20.19.2
curl -fsSL -o node.tar.xz "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-x64.tar.xz"
sudo tar -xJf node.tar.xz -C /opt/node --strip-components=1
sudo ln -sf /opt/node/bin/node /usr/local/bin/node
sudo ln -sf /opt/node/bin/npm /usr/local/bin/npm
sudo ln -sf /opt/node/bin/npx /usr/local/bin/npxPlaywright needs extra system libraries for Chromium. Examples:
Debian/Ubuntu:
sudo apt-get install -y \
libnss3 libnspr4 libatk1.0-0 libatk-bridge2.0-0 libcups2 \
libdrm2 libdbus-1-3 libxkbcommon0 libxcomposite1 libxdamage1 \
libxfixes3 libxrandr2 libgbm1 libasound2 libpango-1.0-0 \
libpangocairo-1.0-0 libcairo2 libx11-xcb1 libx11-6 libxext6 \
libxrender1 libxtst6 libxshmfence1 libxss1 ca-certificatesRHEL/Rocky/Alma/Fedora:
sudo dnf install -y \
nss nspr atk at-spi2-atk cups-libs libdrm dbus-libs libxkbcommon \
libXcomposite libXdamage libXfixes libXrandr mesa-libgbm alsa-lib \
pango cairo libX11 libXext libXrender libXtst libXshmfence libXss ca-certificatesUbuntu 20.04 missing libraries (after Chromium/GTK deps):
sudo apt-get install -y \
libatomic1 libopus0 libwebpdemux2 libharfbuzz-icu0 \
libwebpmux3 libenchant-2-2 libsecret-1-0 libhyphen0 \
libgbm1 libegl1 libglx0 libevdev2 libgles2 libx264-155 libwoff1If you plan to use Firefox or WebKit, install dependencies for those browsers too (recommended, as the exact package list changes over time):
sudo npx playwright install-deps firefox
sudo npx playwright install-deps webkitPlaywright downloads browser binaries per user. Install them for csp-check:
sudo mkdir -p /var/lib/csp-web/.npm-global /var/lib/csp-web/.npm-cache
sudo chown -R csp-check:csp-check /var/lib/csp-web
sudo -u csp-check -H bash -c "export HOME=/var/lib/csp-web; npm config set prefix /var/lib/csp-web/.npm-global; npm config set cache /var/lib/csp-web/.npm-cache; /usr/local/bin/npm install -g playwright"
sudo -u csp-check -H bash -c "export HOME=/var/lib/csp-web; /var/lib/csp-web/.npm-global/bin/playwright install chromium firefox webkit"If npm is not found in the service user PATH, ensure Node.js is installed system-wide or update /etc/default/csp-web to point to the correct CSP_NODE_BIN.
Note: on Ubuntu 20.04, avoid running npx playwright install-deps as root if you want to avoid temporary root npm installs. Use the apt lists above instead.
Edit /etc/default/csp-web to set the listener address, DB location, and Node/Playwright paths.
sudo editor /etc/default/csp-webMake sure the PATH includes the Playwright global bin for csp-check:
PATH=/var/lib/csp-web/.npm-global/bin:/usr/local/bin:/usr/bin:/bin
NODE_PATH=/var/lib/csp-web/.npm-global/lib/node_modules
HOME=/var/lib/csp-web
PLAYWRIGHT_BROWSERS_PATH=/var/lib/csp-web/.cache/ms-playwright
Then restart the service:
sudo systemctl restart csp-webPlaywright bundles browser versions and should be kept up to date. When you update Playwright, re-run the install command to refresh browser binaries.
For the csp-check user:
sudo -u csp-check -H bash -c "export HOME=/var/lib/csp-web; /usr/local/bin/npm install -g playwright@latest"
sudo -u csp-check -H bash -c "export HOME=/var/lib/csp-web; /var/lib/csp-web/.npm-global/bin/playwright install"To update browsers and system dependencies in one step:
sudo -u csp-check -H bash -c "export HOME=/var/lib/csp-web; /var/lib/csp-web/.npm-global/bin/playwright install --with-deps"- Start the server:
go run .- Open
http://127.0.0.1:8080and paste:
https://breckhistoryarchives.org/
https://breckhistoryarchives.org/robots.txt
https://breckhistoryarchives.org/favicon.ico
- Submit, then open Run History to view the results.
- Paste full URLs (one per line) on the home page and submit.
- View results in Run History and click a run for details.
- Grouped Issues summarize violations across pages; Page Status shows HTTP status and timings for every URL.
- Each run checks Chromium, Firefox, and WebKit sequentially and shows three sections in the results.
Environment variables:
CSP_WEB_ADDR(default127.0.0.1:8080)CSP_WEB_DB(defaultdata.dbor/var/lib/csp-web/data.dbfor packages)CSP_NODE_BIN(defaultnode)CSP_SCRIPT_PATH(default./csp-check.mjsor/usr/local/bin/csp-check.mjsfor packages)
- Lines starting with
#in the URL list are ignored. - Only full
http://orhttps://URLs are accepted.
The app stores profiles and run history in a SQLite file. To reset it:
Source runs (local file):
rm -f data.dbPackage install (systemd):
sudo systemctl stop csp-web
sudo rm -f /var/lib/csp-web/data.db
sudo systemctl start csp-webOn next start, the app recreates the database and default profiles.