<configuration> <system.webServer> <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="DENY" /> </customHeaders> </httpProtocol> </system.webServer> </configuration>