Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
1.	Applicant’s arguments have been considered but are not persuasive.
	Applicant arguments is directed to the elements of “an application with a backing service in a cloud environment” and the “security standard for use in securing the application in a production environment.” Applicant contends that Santelia does not teach these elements.
	Examiner respectfully disagrees.
	Applicant’s Specification [0008, [0026], and [0027] reference “backing service,” but does not define nor even describe a backing service. Examiner provides, but does not relied upon, O’Reilly, which states that “A backing service is any service on which your application relies for its functionality. This is a fairly broad definition, and its wide scope is intentional.”
	As Applicant’s use of backing service (1) is broad and undefined as well as (2) disconnected from the overall claim, i.e. the backing service is never invoked, used, requested, etc. and (3) in fact the application “with” the backing service is never used or interacted with within the claim language, aside from the request calling the application, Examiner respectfully views that the general disclosure of services provided by the server application as teaching the recited “application with a backing service.”
Applicant’s Specification [0017] and [0036] reference “security standard,” but these paragraphs do not define either the composition of the security standard nor the specific relationship between the security standard and the security headers. For example, [0017] the security standard relates the mere requirement of the usage of security headers, but [0036] has the security standard comprising some repository of security headers that are to be used. 

Examiner views Santelia ¶0108 as the modification of the security headers as being in “accordance with a security standard,” wherein the security standard being the security policy, i.e. the security expectation, being implemented therein Santelia. 
	
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

2.	Claims 1, 8, and 15 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Santelia et al. (US 20200169536 A1).

Claim 1	Santelia teaches a computer-implemented method, comprising:
receiving, by a gateway, (FIG. 3, Proxy 304/Application 302) a request calling an application (FIG. 3, HTTP Request 320, ¶0088, Proxy 304 receiving a request; ¶0003, wherein the request calls for a server application) with a backing service in a cloud environment; (¶0032, wherein the server application has backing service, i.e. processes or application the client contacts over the network; ¶0071, wherein processes is provided within a cloud) 
receiving, by the gateway, (FIG. 3, Application 302/Proxy 304) a response to the request; (FIG. 3, HTTP Response 322, ¶0090, receiving the response to the request)
determining, by the gateway, whether the request comprises a User-Agent request header; (FIG. 5A, User-Agent Header 503; ¶0054, the proxy analyzing the request header; ¶0096, wherein the analyze request has a user-agent request header and is so determined) 
in response to determining that the request comprises a User-Agent request header, determining, by the gateway, a type setting of a Content-Type response header, (FIG. 5A, Content-Type Header 508) wherein the Content-Type response header is comprised in the response; (¶0090, determining header types of the response, wherein the response header comprises a content-type response and is so determined) and
in response to determining that the request comprises a User-Agent request header and that the type setting of the Content-Type response header comprised in the response indicates HTML content: (FIG. 5A, Content-Type Header 508, ¶0090, wherein the content-type response header indicates “text/html” content)
adding, by the gateway, a security header to the response according to a security standard for use in securing the application in a production environment; (FIG. 6D, Security Headers 664 and 616/666, ¶0108, modifying the response with security headers according to the security standard, the standard being the inclusion of x-xss-protection  or content-security-policy headers) and 
returning, by the gateway, the response. (FIG. 3, Modified HTTP Response 330, ¶0091, returning the modified response)

Claims 8 and 15 are rejected by Santelia as described for Claim 1. 

3.	Claims 2-3, 9-10 and 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Santelia et al. (US 20200169536 A1) in view of Koide (US 20160323305 A1).

Claim 2	Santelia teaches Claim 1, but does not explicitly teach determining whether the response comprises Content-Type response header that is set. 
From a related technology, Koide teaches determining whether a response comprises a Content-Type response header that is set. (FIG. 1, FIG. 3, ¶00210-¶0214, an information processing apparatus includes a detection engine 25, FIG. 1, and a comparison unit 251, FIG. 3, which are configured to acquire and detect an HTTP request for content, FIG. 16; FIG. 17, ¶0241-¶0242, where the content indicates tile types for different content such as HTML content and the detection engine 25 is also configured to process an HTTP response where it is determined whether the response includes a content file type set in a content-type header of the response and TYPE VALUE OF REQUESTED CONTENT IS IN CONTENT-TYPE ? and is also determined whether the content-type header is not set)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Santelia to incorporate the teachings of Koide to determine whether a set content type header is included in the HTTP response. Both the systems taught by Santelia are configured to acquire and process HTTP request and responses for content and therefore allows the determination/detection of a set content-type header in an HTTP response.

Claims 9 and 16 are taught by Santelia in view of Koide as described for Claim 2. 

Claim 3 	Santelia in view of Koide teaches Claim 2 and further teaches determining that the Content-Type response header is set (Koide, FIG. 17, ¶0242, the detection engine 25 is also configured to determine that the HTTP response includes the set content-type header, for example when it is determined that the content-type header is set with a Java value, the process moves to step S304 in Figure 17 and if it is determined that the 

Claims 10 and 17 are taught by Santelia in view of Koide as described for Claim 3. 

4.	Claims 4, 11, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Santelia et al. (US 20200169536 A1) in view of Berry (US 20040205249 A1).

Claim 4	Santelia teaches Claim 1, but does not explicitly teach in response to determining that the type setting of the Content-Type response header does not indicate the HTML content, returning the response responsive to the request without the security header. 
From a related technology, Berry teaches in response to determining that the type setting of the Content-Type response header does not indicate the HTML content, returning the response responsive to the request without the security header. (In Berry, upon determining and examining the content-type response header 125 [0025], the content type 202 which indicates the content-type in the response header 125 includes a list of content types such as text/css which indicates Cascading Style Sheet content, and other content types include JavaScript and jpg (Figure 2). Therefore, the determined content type 202 in the content-type response header may indicate any other content type other than the text/html when processing the HTTP response)
It would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Santelia to incorporate the compression techniques utilized in Berry in order to enable users to see compressed pages faster. (Berry, ¶0005)

Claims 11 and 18 are taught by Santelia in view of Berry as described for Claim 4. 

5.	Claims 5-6, 12-13 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Santelia et al. (US 20200169536 A1) in view of Vanunu (US 20160381061 A1).

Claim 5	Santelia teaches Claim 1, and further teaches wherein the gateway is an ingress gateway, (Santelia, FIG. 3) wherein the ingress gateway processes all outgoing responses to a plurality of users. (Santelia, FIG. 3, wherein the client side proxy processes all the outgoing responses)
However, Santelia does not explicitly teaches wherein the gateway is a gateway of a cloud environment, wherein the cloud environment comprises a plurality of applications and a plurality of application proxies. 
From a related technology, Vanunu teaches wherein a gateway is a gateway of a cloud environment, (¶0035, a gateway processing all web traffic between a web server and client for a cloud computing environment) wherein the cloud environment comprises a plurality of applications (¶0004, wherein the web servers comprises a plurality of applications) and a plurality of application proxies. (FIG. 1, Web Application Hardening Proxy 120, ¶0036 HTTP Proxying Module 260, ¶0042)
It would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to further modify the teachings of Santelia to incorporate the plurality of web application and proxies provided in the system of Vanunu in order to provide the user with the exponentially growing amount of applications available while protecting them from the numerous web vulnerabilities that may be present. (Vanunu, ¶0002)

Claims 12 and 19 are taught by Santelia in view of Vanunu as described for Claim 5. 

Claim 6	Santelia in view of Vanunu teaches Claim 5, and further teaches determining that the response does not comprise an application-specific header, (Vanunu, FIG. 6, step 605, ¶0051, determining whether the response includes a security header, for example, a X-XSS-Protection HTTP header) wherein the application-specific header is set by an application of the plurality of applications or an application proxy of the plurality of application proxies; (Vanunu, ¶0051, wherein HTTP proxying module 260 sets the application-specific header, Examiner notes this element establishes who sets the application specific header, but does not establish a method step) and 
in response to determining that the response does not comprise the application-specific header, adding a security header to the response (Vanunu, FIG. 6, step 610, ¶0051, adding a security header in response to determining the application specific header is not present, for example adding the X-XSS-Protection HTTP Header)

Claim 13 is taught by Santelia in view of Vanunu as described for Claim 6.

6.	Claims 7, 14, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Santelia et al. (US 20200169536 A1) in view of Nagai (US 2004021573).

Claim 7	Santelia teaches Claim 1, but does not explicitly teach in response to determining that the request does not comprise the User-Agent request header, returning the response without the security header.
From a related technology, Nagai teaches in response to determining that the request does not comprise the User-Agent request header, returning the response without the security header. (Nagai, FIG. 6, ¶0068, further teaches that when the HTTP request does not include a user-agent header, the HTTP response is sent without including the content, Examiner notes that this would be without any added security header)

Claim 14 and 20 are taught by Santelia in view of Nagai as described for Claim 7. 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER PALACA CADORNA whose telephone number is (571)270-0584. The examiner can normally be reached M-F 10:00-7:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William Trost can be reached on (571) 272-7872. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHRISTOPHER P CADORNA/Examiner, Art Unit 2442                                                                                                                                                                                                        
/WILLIAM G TROST IV/Supervisory Patent Examiner, Art Unit 2442