Provider noticed that domain's Transfer key could be retrieved from data exchange captured in browser dev tools during page load in CCPv2. Information comes from domain's zoneinfo APS resource.
Is that possible to hide this information from end-user completely?
By design, all APS requests made from applications integrated with CCP are visible via browser console. Feature request PFR-650 was submitted to R&D team to exclude sensitive information from data exchange visible in Dev tools.