Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
1.	Applicant’s arguments have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. 

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


2.	Claims 1-20 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor regards as the invention.
Claim 1 recites “determining, by the gateway, that the request comprises a User-Agent request header indicating an ability to interpret security headers.” The claim is unclear as to what element of the claims would possess the “ability to interpret security headers, or if alternately the claim language is not meant to be directed to a claim element, but just to a particular ability in the abstract. 
Furthermore, the claim does not explicitly interpret security headers. The claim merely comprises an indication of an HTML content that identifies a security header and later adds a security header. Due to this, the precise meaning of the claim language is not limited by the claim language as divergent interpretation can be held without otherwise affecting the claims. 
Claims 8 and 15 are rejected for the same reasons as Claim 1.
Claims 2-7, 9-14, and 16-20 are rejected for depending on their respective claims.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

3.	Claims 1, 8, and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Santelia et al. (US 20200169536 A1) in view of Bush et al. (US 9800474 B1).

Claim 1	Santelia teaches computer-implemented method, comprising:
receiving, by a gateway, (FIG. 3, Proxy 304/Application 302) a request calling an application (FIG. 3, HTTP Request 320, ¶0088, Proxy 304 receiving a request; ¶0003, wherein the request calls for a server application) with a service in a cloud environment; (¶0032, wherein the server application has a service, i.e. processes or application the client contacts over the network; ¶0071, wherein processes is provided within a cloud)`
receiving, by the gateway and from the cloud environment, (FIG. 1, Data Processing Environment 100, ¶0071, comprising a cloud) a response to the request, (FIG. 3, HTTP Response 322, ¶0090, receiving the response to the request) wherein the response comprises a Content-Type response header; (FIG. 5A, 508, ¶0097, wherein the response comprises a content type response header)
determining, by the gateway, that the request comprises a User-Agent request header  (FIG. 5A, User-Agent Header 503; ¶0054, the proxy analyzing the request header; ¶0096, wherein the analyze request has a user-agent request header and is so determined) indicating an ability to interpret security headers; (Examiner notes that it is not clear what has this ability to interpret security headers; however, Examiner considers the presence of readable headers as an indication of an ability to interpret security headers)
determining, by the gateway, that a type setting of the Content-Type response header indicates HTML content (FIG. 5A, Content-Type Header 508, ¶0090, wherein the content-type response header indicates “text/html” content) identifying that a security header is required (¶0036, wherein security headers are required) to satisfy application-specific requirements and the security header minimizes traffic overhead; (Examiner notes that “to satisfy application-specific requirements and the security header minimizes traffic overhead” comprises an intended use statement, the claim only incorporates a gateway determining that the response header indicates HTML content, which only identifies in a security header requirements; but this security header requirement is only an intended operation and being incorporated into the claim language) and
returning, by the gateway, the response to the request. (FIG. 3, Modified HTTP Response 330, ¶0091, returning the modified response)
However, Santelia does not explicitly teach determining, by the gateway, a security standard for use in securing the application in the cloud environment; 
adding, by the gateway, the security header to the response according to the
security standard for securing the application in the cloud environment; and 
overruling, by the gateway, default security settings of the gateway by using the security standard.
From a related technology, Bush teaches determining, by the gateway, a security standard for use in securing the application in the cloud environment; (FIG. 4, 410, Col. 11, Lines 3-30, determining a security standard for use by the gateway, security manager 410) 
adding, by the gateway, the security header to the response according to the
security standard for securing the application in the cloud environment; (Col. 11, Lines 43-56, adding to the header to specify the security standard for securing the application)
overruling, by the gateway, default security settings of the gateway by using the security standard. (FIG. 4, Col. 11, Lines 3-11, overriding default security setting using the security standard for use by the gateway, security manager 410) 
It would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Santelia to incorporate the security setting techniques described in Bush in order to more effectively ensure network security. 

Claims 8 and 15 are rejected by Santelia in view of Bush as described for Claim 1. 

4.	Claims 2-3, 9-10 and 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Santelia et al. (US 20200169536 A1) in view of Bush et al. (US 9800474 B1) and Koide (US 20160323305 A1).

Claim 2	Santelia in view of Bush teaches Claim 1, but does not explicitly teach determining whether the response comprises Content-Type response header that is set. 
From a related technology, Koide teaches determining whether a response comprises a Content-Type response header that is set. (FIG. 1, FIG. 3, ¶00210-¶0214, an information processing apparatus includes a detection engine 25, FIG. 1, and a comparison unit 251, FIG. 3, which are configured to acquire and detect an HTTP request for content, FIG. 16; FIG. 17, ¶0241-¶0242, where the content indicates tile types for different content such as HTML content and the detection engine 25 is also configured to process an HTTP response where it is determined whether the response includes a content file type set in a content-type header of the response and TYPE VALUE OF REQUESTED CONTENT IS IN CONTENT-TYPE ? and is also determined whether the content-type header is not set)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Santelia to incorporate the teachings of Koide to determine whether a set content type header is included in the HTTP response. Both the systems taught by Santelia are configured to acquire and process HTTP request and responses for content and therefore allows the determination/detection of a set content-type header in an HTTP response.

Claims 9 and 16 are taught by Santelia in view of Bush and Koide as described for Claim 2. 

Claim 3 	Santelia in view of Bush and Koide teaches Claim 2 and further teaches determining that the Content-Type response header is set (Koide, FIG. 17, ¶0242, the detection engine 25 is also configured to determine that the HTTP response includes the set content-type header, for example when it is determined that the content-type header is set with a Java value, the process moves to step S304 in Figure 17 and if it is determined that the response does not includes a set content-type header the process moves to step 303 in Figure 17 where the body of the response is examined)

Claims 10 and 17 are taught by Santelia in view of Bush and Koide as described for Claim 3. 

5.	Claims 4, 11, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Santelia et al. (US 20200169536 A1) in view of Bush et al. (US 9800474 B1) and Berry (US 20040205249 A1).

Claim 4	Santelia in view of Bush teaches Claim 1, but does not explicitly teach in response to determining that the type setting of the Content-Type response header does not indicate the HTML content, returning the response responsive to the request without the security header. 
From a related technology, Berry teaches in response to determining that the type setting of the Content-Type response header does not indicate the HTML content, returning the response responsive to the request without the security header. (In Berry, upon determining and examining the content-type response header 125 [0025], the content type 202 which indicates the content-type in the response header 125 includes a list of content types such as text/css which indicates Cascading Style Sheet content, and other content types include JavaScript and jpg (Figure 2). Therefore, the determined content type 202 in the content-type response header may indicate any other content type other than the text/html when processing the HTTP response)
It would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Santelia to incorporate the compression techniques utilized in Berry in order to enable users to see compressed pages faster. (Berry, ¶0005)

Claims 11 and 18 are taught by Santelia in view of Bush and Berry as described for Claim 4. 

6.	Claims 5-6, 12-13 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Santelia et al. (US 20200169536 A1) in view of Bush et al. (US 9800474 B1) and Vanunu (US 20160381061 A1).

Claim 5	Santelia in view of Bush teaches Claim 1, and further teaches wherein the gateway is an ingress gateway, (Santelia, FIG. 3) wherein the ingress gateway processes all outgoing responses to a plurality of users. (Santelia, FIG. 3, wherein the client side proxy processes all the outgoing responses)
However, Santelia in view of Bush does not explicitly teaches wherein the gateway is a gateway of a cloud environment, wherein the cloud environment comprises a plurality of applications and a plurality of application proxies. 
From a related technology, Vanunu teaches wherein a gateway is a gateway of a cloud environment, (¶0035, a gateway processing all web traffic between a web server and client for a cloud computing environment) wherein the cloud environment comprises a plurality of applications (¶0004, wherein the web servers comprises a plurality of applications) and a plurality of application proxies. (FIG. 1, Web Application Hardening Proxy 120, ¶0036 HTTP Proxying Module 260, ¶0042)
It would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to further modify the teachings of Santelia to incorporate the plurality of web application and proxies provided in the system of Vanunu in order to provide the user with the exponentially growing amount of applications available while protecting them from the numerous web vulnerabilities that may be present. (Vanunu, ¶0002)

Claims 12 and 19 are taught by Santelia in view of Vanunu as described for Claim 5. 

Claim 6	Santelia in view of Bush and Vanunu teaches Claim 5, and further teaches determining that the response does not comprise an application-specific header, (Vanunu, FIG. 6, step 605, ¶0051, determining whether the response includes a security header, for example, a X-XSS-Protection HTTP header) wherein the application-specific header is set by an application of the plurality of applications or an application proxy of the plurality of application proxies; (Vanunu, ¶0051, wherein HTTP proxying module 260 sets the application-specific header, Examiner notes this element establishes who sets the application specific header, but does not establish a method step) and 
in response to determining that the response does not comprise the application-specific header, adding a security header to the response (Vanunu, FIG. 6, step 610, ¶0051, adding a security header in response to determining the application specific header is not present, for example adding the X-XSS-Protection HTTP Header)

Claim 13 is taught by Santelia in view of Bush and Vanunu as described for Claim 6.

7.	Claims 7, 14, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Santelia et al. (US 20200169536 A1) in view of Bush et al. (US 9800474 B1) and Nagai (US 2004021573).

Claim 7	Santelia in view of Bush teaches Claim 1, but does not explicitly teach in response to determining that the request does not comprise the User-Agent request header, returning the response without the security header.
From a related technology, Nagai teaches in response to determining that the request does not comprise the User-Agent request header, returning the response without the security header. (Nagai, FIG. 6, ¶0068, further teaches that when the HTTP request does not include a user-agent header, the HTTP response is sent without including the content, Examiner notes that this would be without any added security header)

Claim 14 and 20 are taught by Santelia in view of Bush and Nagai as described for Claim 7. 

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER PALACA CADORNA whose telephone number is (571)270-0584. The examiner can normally be reached M-F 10:00-7:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William Trost can be reached on (571) 272-7872. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHRISTOPHER P CADORNA/Examiner, Art Unit 2442                                                                                                                                                                                                        
/WILLIAM G TROST IV/Supervisory Patent Examiner, Art Unit 2442