Web.config IIS Rewrite Rules for Security HTTP Response Headers.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<modules runAllManagedModulesForAllRequests="false" />
<rewrite>
<outboundRules>
<preConditions>
<preCondition name="IsHTML">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
</preCondition>
</preConditions>
<rule name="Clickjacking Protection" preCondition="IsHTML">
<match serverVariable="RESPONSE_X_Frame_Options" pattern=".*" />
<action type="Rewrite" value="SAMEORIGIN" />
</rule>
<rule name="Reflected XSS Attacks" preCondition="IsHTML">
<match serverVariable="RESPONSE_X_XSS_Protection" pattern=".*" />
<action type="Rewrite" value="1; mode=block" />
</rule>
<rule name="No Search Engine Indexing">
<match serverVariable="RESPONSE_X_Robots_Tag" pattern=".*" />
<action type="Rewrite" value="noindex, nofollow" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>