DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Acknowledgment is made of applicant's claim for foreign priority based on an application filed in India on 12/16/2020.  It is noted, however, that applicant has not filed a certified copy of the 20204105696 application as required by 37 CFR 1.55.
The IDS filed 3/16/2021 has been considered.
Claims 1-20 are presented for examination.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Burckhardt et al. (U.S. Patent Application Publication Number 2018/0302406), hereinafter referred to as Burckhardt.
Regarding claim 1, Burckhardt discloses an application program interface (API) management architecture comprising an API gateway, the API gateway comprising: one or more processors; and one or more non-transitory computer-readable media storing computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising: receiving an authentication request (paragraph 82, authentication request received); generating a cross site request forgery (CSRF) token (paragraph 82, server-side credential); generating a session based on the authentication request (paragraph 82, establishes secure communication channel); generating a cookie comprising session properties associated with the session, the cookie further comprising an attribute flag associated with the CSRF token (paragraph 82, client-side credential containing hash code); transmitting an authentication response comprising the cookie and the CSRF token (paragraph 82, authentication response includes client-side credential and server-side credential); receiving an operation request to perform a first operation (paragraph 84, authenticated request); determining whether or not the CSRF token and the attribute flag are received along with the operation request (paragraph 84, checks if cookie with random value exists and checks if token contains hash value); and performing the first operation based on the CSRF token and the attribute flag received along with the operation request, or a second operation based on the CSRF token not being received along with the operation request (paragraph 87, authenticated response).
Regarding claim 2, Burckhardt discloses wherein determining whether or not the attribute flag is received along with the operation request further comprises determining the attribute flag is present in a header of the operation request (paragraph 85, client-side credential in authorization header), further comprising: performing the first operation based on a value of the attribute flag, and on the CSRF token being present in the operation request (paragraph 87, successful verification).
Regarding claim 3, Burckhardt discloses determining the CSRF token is not present in the operation request (paragraph 84, checks if cookie with random value exists); and performing the second operation based on a value of the attribute flag, and on the CSRF token not being present in the operation request (paragraph 87, verification not successful).
Regarding claim 4, Burckhardt discloses wherein: the cookie is implemented as a JavaScript Object Notation (JSON) Web Token (JWT) token (paragraph 82, client-side credential is JWT); and the operation request is required to be accompanied by the CSRF token based on the attribute flag, for the API gateway to allow one or more services associated with the operation request (paragraph 87, conditional on successful verification).
Regarding claim 5, Burckhardt discloses wherein: the authentication request is received based on a user of a client device selecting an authentic link (paragraph 82, authentication request); and the CSRF token is a first CSRF token, further comprising: performing the second operation based on determining a second operation request is received from the client device, based on the user of the client device selecting a malicious link, the second operation request determined to be received from the malicious client based on: the second operation comprising no CSRF token; or the second operation comprising a second CSRF token that does not match the first CSRF token (paragraph 84, checks if cookie with random value exists).
Regarding claim 6, Burckhardt discloses wherein the authentication request is received based on a user of a client device selecting an authentic link (paragraph 82, authentication request), further comprising: performing the second operation based on determining the operation request is received from the client device, based on the user of the client device selecting a malicious link, the second operation comprising not transmitting an operation response to the client device (paragraph 87, verification not successful).
Regarding claim 7, Burckhardt discloses wherein: the authentication request is received based on a user of a client device selecting an authentic link (paragraph 82, authentication request), further comprising: performing the first operation based on determining the operation request is received from the client device, the first operation comprising transmitting an operation response to the client device (paragraph 87, authenticated response).
Regarding claim 8, Burckhardt discloses a method, for an application program interface (API) gateway, the method comprising: receiving data comprising session properties associated with a client device (paragraph 82, establishes secure communication channel), the data further comprising an indicator associated with a secret value (paragraph 82, client-side credential containing hash code), the secret value being associated with an internal secret utilized to generate a session to provide services for the client device (paragraph 82, server-side credential); transmitting the data and the secret value (paragraph 82, authentication response includes client-side credential and server-side credential); receiving an operation request to perform a first operation (paragraph 84, authenticated request); determining whether or not the secret value is received along with the operation request, based at least in part on the indicator (paragraph 84, checks if cookie with random value exists and checks if token contains hash value); and performing the first operation based at least in part on the secret value being received along with the operation request, or a second operation based at least in part on the secret value not being received along with the operation request (paragraph 87, authenticated response).
Regarding claim 9, Burckhardt discloses receiving a session request (paragraph 82, authentication request received), wherein: the session is generated based at least in part on the session request (paragraph 82, establishes secure communication channel); the session is hashed with the internal secret utilized to generate the secret value (paragraph 82, creates hash code); and a requirement for the secret value is indicated by the indicator, the indicator being generated as an attribute flag (paragraph 82, client-side credential containing hash code).
Regarding claim 10, Burckhardt discloses wherein the secret value is a cross site request forgery (CSRF) token (paragraph 82, server-side credential).
Regarding claim 11, Burckhardt discloses wherein the data is a cookie, and the cookie further comprises session properties associated with the session (paragraph 82, client-side credential containing hash code).
Regarding claim 12, Burckhardt discloses performing the first operation based at least in part on a value of the indicator, the value indicating a requirement of the secret value accompanying the operation request (paragraph 52, checks if JWT token contains hash).
Regarding claim 13, Burckhardt discloses wherein the indicator is an attribute flag, further comprising: performing the first operation based at least in part on the attribute flag determined to be present in a header of the operation request (paragraph 85, client-side credential in authorization header), and further based at least in part on the secret value accompanying the operation request (paragraph 84, checks if cookie with random value exists).
Regarding claim 14, Burckhardt discloses wherein: the indicator is an attribute flag; and performing the second operation is based at least in part on the attribute flag, and on the secret value not accompanying the operation request (paragraph 84, checks if cookie with random value exists, and paragraph 87, verification not successful).
Regarding claim 15, Burckhardt discloses a mobile device executing a web browser, the mobile device comprising: one or more processors; and one or more non-transitory computer-readable media storing computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising: transmitting a first request with an indicator (paragraph 82, authentication request received), the indicator being utilized to generate a cookie associated with a secret value (paragraph 82, client-side credential), the secret value being associated with an internal secret utilized to generate a session to provide services for the mobile device (paragraph 82, server-side credential, and paragraph 82, establishes secure communication channel); receiving a response, the response comprising the cookie and the secret value (paragraph 82, authentication response includes client-side credential and server-side credential), the cookie comprising an attribute flag associated with the secret value (paragraph 82, client-side credential containing hash code); and transmitting a second request to perform an operation, the second request comprising the cookie with the attribute flag (paragraph 84, authenticated request), the operation being performed based at least in part on the attribute flag and the secret value being transmitted along with the second request (paragraph 84, checks if token contains hash value and checks if cookie with random value exists, and paragraph 87, authenticated response).
Regarding claim 16, Burckhardt discloses wherein: the first request is a session request (paragraph 82, authentication request received); and the indicator utilized to generate the cookie and to set a value of the attribute flag is inserted in a header of the session request (paragraph 82, request within OAuth authorization protocol).
Regarding claim 17, Burckhardt discloses wherein: the session is generated based at least in part on the first request (paragraph 82, establishes secure communication channel); the session is hashed with an internal secret utilized to generate the secret value (paragraph 82, creates hash code); and a requirement for the secret value is indicated by the attribute flag (paragraph 82, client-side credential containing hash code).
Regarding claim 18, Burckhardt discloses wherein: the secret value is a cross site request forgery (CSRF) token (paragraph 82, server-side credential); and the cookie further comprises session properties associated with the session (paragraph 82, client-side credential containing hash code).
Regarding claim 19, Burckhardt discloses wherein the operation is performed further based at least in part on a value of the attribute flag indicating a requirement that the secret value be present in the second request (paragraph 52, checks if JWT token contains hash).
Regarding claim 20, Burckhardt discloses wherein the response is a first response received from an application program interface (API) gateway (paragraph 2, RESTful API), further comprising: receiving a second response from the API gateway, the second response comprising data indicating that a third request received by the API gateway was declined based at least in part on the third request being received without any CSRF token (paragraph 87, verification not successful).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Okunlola et al. (U.S. Patent Application Publication Number 2021/0211469) disclosed techniques for preventing cross-site request forgery based on predefined security requirements.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Victor Lesniewski whose telephone number is (571)272-2812. The examiner can normally be reached Monday thru Friday, 9am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/Victor Lesniewski/Primary Examiner, Art Unit 2493