At this point, I believe that you have fully configured reverse proxy for SharePoint portal. Your portal is now behind an application firewall the IIS ARR. Since all traffic now is back and fort to through reverse proxy, now we have freedom to modify the response from SharePoint before it arrives to the client browser. The next step is to clean-up the response header. You can remove Origin-By and add SAMEORIGIN restriction in response header by modifying web.