There are a bunch of ways to go about this. But one of the easiest is adding <customHeaders>
section to the web.config and it will append that header to each request.
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="DENY" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>