1- Prevent X-Frame and enable X-XSS-Protection
using configuration file settings
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-UA-Compatible" value="IE=edge,chrome=1" />
<add name="X-Frame-Options " value="DENY" />
<add name=" X-XSS-Protection" value="1" />
</customHeaders>
</httpProtocol>
https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/
2-prevent X-frame in file global.ascx
Protected Sub Application_BeginRequest()
Response.AddHeader("X-Frame-Options", "DENY")
End Sub
3-