Web.config IIS Rewrite Rules for Security HTTP Response Headers.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <validation validateIntegratedModeConfiguration="false" />
    <modules runAllManagedModulesForAllRequests="false" />
    <rewrite>
      <outboundRules>
        <preConditions>
          <preCondition name="IsHTML">
            <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
          </preCondition>
        </preConditions>
        <rule name="Clickjacking Protection" preCondition="IsHTML">
          <match serverVariable="RESPONSE_X_Frame_Options" pattern=".*" />
          <action type="Rewrite" value="SAMEORIGIN" />
        </rule>
        <rule name="Reflected XSS Attacks" preCondition="IsHTML">
          <match serverVariable="RESPONSE_X_XSS_Protection" pattern=".*" />
          <action type="Rewrite" value="1; mode=block" />
        </rule>
        <rule name="No Search Engine Indexing">
          <match serverVariable="RESPONSE_X_Robots_Tag" pattern=".*" />
          <action type="Rewrite" value="noindex, nofollow" />
        </rule>
      </outboundRules>
    </rewrite>
  </system.webServer>
</configuration>