Before I always added add name="X-Frame-Options" value="DENY" or "SAMEORIGIN" Under CustomHeaders in the Web.config but that’s gone. Any idea how to do this asp5 mvc6?
Web.config is not gone. It has been moved from the project root to the /wwwroot folder. IIS still depends on these settings, including the X-Frame-Options setting that you mentioned, which works on all requests, not just those passed on to MVC. However, if you are not planning to host your application under IIS, you may need to find a different approach to enable these settings.
I have just tested and verified putting this section into the /wwwroot/web.config file adds the header on IIS express.
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="DENY" />
</customHeaders>
</httpProtocol>