I suggest a setting in composite.config to specify whether https is required for accessing the console or not. I'm getting pretty tired of rolling out a custom Http Module each and every time :/
Comments: ** Comment from web user: mawtex **
As you mention above you can still use your VS tools, msbuild, xslt, ctt etc. to transform the config file if you want to. So nothing lost here. They are both XML files.
The big up side to having a dedicated file is that you __also__ have the option to exclude it from things like migration jobs, source control etc. and not have to care about transformation jobs or perpetual manual fixing.
Bear in mind this is a file you most likely want to keep unique across environments, Like making it read only on prod.
I'd say the question boils down to making life more complicated for the devs not using automated transformations or letting the transformation jockey make one more transformation task (or letting him exclude the file from migration tasks or source control).
With some technical empathy I'd call this a pretty easy choice: complexity for the masses vs. more of the same for the ninjas. More options vs. forced transformation. Since this is related to website security I'd prefer to avoid (unneeded) complexity.
> When xcopying from dev to stage to prod, there is still a ton of settings you would need to transform
A lot of people actually makes no "transformations" when moving a website back and forth from environments. Let us make room for those people also as best we can. Technical empathy is key here I think.