The following are some of the Required Security Headers which you should enable in your web application.
Click here to watch video on How to change HTTP security headers using IIS or web configuration file
Content-Security-Policy
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
X-XSS-Protection
X-XSS-Protection
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
X-Content-Type-Options
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
X-Frame-Options
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
Referrer-Policy
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
This is how you can apply the headers <httpProtocol>
<customHeaders>
<add name=”X-Content-Type-Options” value=”nosniff” />
<add name=”X-Frame-Options” value=”DENY” />
<add name=”X-XSS-Protection” value=”1; mode=block” />
<add name=”Referrer-Policy” value=” strict-origin-when-cross-origin” />
</customHeaders>
</httpProtocol>