This is not a serious issue, unless you are allowing everybody to see what is written in the file.
<addname="cs"connectionString="DataSource=myServerAddress;Initial Catalog=myDataBase; User Id=myUsername; Password=XXSDFASFDKD;"/>
The problem with this approach can come, when you either store these values inside your version control, or you allow everybody to read your production configurations.
I have used some other methods to overcome this problem. Most of the cloud based (and others too) hosting solutions provide environment configuration settings. You can use either that, or you can rewrite the configuration files upon deployment, something like this, https://docs.microsoft.com/en-us/previous-versions/aspnet/dd465326(v=vs.110), or you can use naming convention like web.config
. This way, you will only check-in web.config, and keep the web.Release.config version somewhere safe—if you of course don't trust your developers
What I did was, I loaded these values on runtime using environment variables, and forwarded them to the type loaders and initializers. This way, I had the production values configured only on the hosting service, and local engineers only see their own system-level configurations. Other than that, there is no problem, and remember, encryption will only exaggerate the problem, instead of solving it
—try it to experience it
Check out this video to understand how, https://www.youtube.com/watch?v=MkcsbM7_2aE