I have found these to work with episerver, and will provide most of the recomended security headers. You can test them on observer.mozilla.orgIt would also be nice if Episerver made a comment in webconfig on how to enable secure cookies. It would break episerver on localhost to have them on by default, but should encurage developers to remember to turn them on, or provide transforms that can be used
These are the settings we have applied in our projects too (the 6 first entries).
To remove the asp.net version header we've used the httpRuntime elements attribue: enableVersionHeader="false"
And to remove asp.net mvc version we've used the: MvcHandler.DisableMvcResponseHeader = true; (in global.asax.cs Application_Start)
Something to add to the Alloy MVC demo and the new Episerver project template.