Can you keep a secret?
If you are developing applications that use CSP or Zen, or potentially any of the other InterSystems web-related stuff that's built on top of CSP, then it's important to know how to keep one particular secret.
A central part of the CSP security architecture is a server-side session key. "Server-side" because its value should never be revealed to the client that is issuing the web requests. If it is revealed, a malicious client might be able to use it to bypass your security and make your server do things you don't want it to.
Your session key is available as a property named Key of your %CSP.Session object. In other words, in your server-side code it is typically available as %session.Key
The documentation for the Key property states:
Stores the encryption key used to validate and secure the communication with the browser. This key never leaves Cache.
In order to "keep a secret" you must make sure that nothing you write (or use) ever transmits the value of that property to the client in a readable form.