The only one without an easy listed solution for was the “Server” header. I was able to remove it locally in IIS and in an Azure web site by adding this in the web.config
<system.webServer>
<security>
<requestFiltering removeServerHeader="true" />
</security>
</system.webServer>