A common mistake I see (and often still make myself) is publishing the parameterization files with your web application. Visual Studio marks the file’s Build Action property to Content by default when you add a new XML file. This means it will be deployed in your application just like any other HTML file would be.
This causes two potential security risks. First anyone who has admin or read access to the website folder on the web server could read those configuration settings and possible use those details nephariously. Secondly, XML files are served up by an IIS by default so anyone who has access to your website could attempt to read the file if they know or can guess the filename. THIS IS BAD!
Change the Build Action to None for these files and they will not be deployed. This will likely cause an issue however in that you need the SetParameters when you run the deploy command. For this you can add your SetParameters files to an ItemGroup and then copy those files to your package folder.
&lt;ItemGroup&gt; &lt;SetParameterFiles Include=&quot;$(MSBuildProjectDirectory)SetParameters.*.xml&quot; /&gt; &lt;/ItemGroup&gt; &lt;MakeDir Directories=&quot;$(PackageFolderPath)&quot; /&gt; &lt;Copy SourceFiles=&quot;@(SetParameterFiles)&quot; DestinationFolder=&quot;$(PackageFolderPath)&quot; /&gt;