The following are some of the Required Security Headers which you should enable in your web application.
Content-Security-Policy

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
X-XSS-Protection


X-XSS-Protection

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
X-Content-Type-Options

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
X-Frame-Options

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
Referrer-Policy

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

Strict-Transport-Security

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
This is how you can apply the headers   <httpProtocol>
            <customHeaders>
                <add name=”X-Content-Type-Options” value=”nosniff” />
                <add name=”X-Frame-Options” value=”DENY” />
                <add name=”X-XSS-Protection” value=”1; mode=block” />
                <add name=”Referrer-Policy” value=” strict-origin-when-cross-origin” />
            </customHeaders>
        </httpProtocol>