Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Interpretation
1.	Examiner notes the following based upon Applicant’s claim amendments. 

	Applicant has amended the claim to recite “wherein the presence of a User-Agent request header indicates that the requestor is configured to interpret a security header.”
	Examiner notes that this claim comprises in significant part an intended use statement. The requestor is only configured to, i.e. “capable of,” interpreting a security header. As the requestor is not otherwise limited by the claims (as the requestor is outside the scope of the claims), this would broadly include any device capable of processing security headers. Furthermore, as the claim does not specify any specific security header, and as such does not limit the scope of a “security header,” and device capable of reading a transmission would be adequate to teach the “requestor” of the claims. 
	Furthermore, Examiner views an “indication” as being a term of degree, as common definition of to indicate is to imply. As such, Examiner notes that the claim will be further rejected under 35 U.S.C. §112(b) for being indefinite. 
	Furthermore, Examiner considers the amendment as a whole as being indefinite for missing a necessary linking step or limitation. The claim states that a User-Agent request header “indicates” that the request or configured to interpret a security header. However, the claim element lack necessary linking elements to in order to tie these elements together.
	
Response to Arguments
2.	Applicant’s arguments have been considered but are not persuasive. 
	On page 9, Applicant raises the issues of intended use with respect to the claim language “based on the type setting of the Content-Type response header and to satisfy application-specific requirements of the application, adding, by the gateway and according to a security standard, the security header to the response to secure the application.”
	Applicant then merely asserts that Santelia does not teach the claim element. However, Applicant has not address the intended use present in the claims, and furthermore, Examiner relies not merely on Santelia for teaching this limitation, but Santelia in view of Bush. 

	On pages 9-10, Applicant raises issues whether a security header is dispositive to “an ability to interpret security headers.”
	First, Examiner notes that it is inherent for a “security header” to be interpreted. Interpretation is subjective, and the claim does not limit what “interpretation” must be made from interpreting a security header. As such without relevant limitations, a security header will necessarily be interpreted as an interpretation can include wrong or illogical interpretations. 
	Second, the present claim amendment uses the term “indicates,” which means “to imply,” which makes it a term of degree, and as such the claim language is indefinite. 

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


2.	Claims 1-20 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor regards as the invention.
Claim 1 recites “wherein the presence of a User-Agent request header indicates that the requestor is configured to interpret a security header.” The claim is indefinite because (1) to “indicate” is to merely “imply” and as such is a term of degree and (2) the claim omits necessary linking elements to connect the presence with the requestor. 
Claims 8 and 15 are rejected for the same reasons as Claim 1.
Claims 4-7, 11-14, and 18-20 are rejected for depending on their respective claims.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

3.	Claims 1, 8, and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Santelia et al. (US 20200169536 A1) in view of Bush et al. (US 9800474 B1).

Claim 1	Santelia teaches computer-implemented method, comprising:
receiving, by a gateway and from a requestor (FIG. 3, Proxy 304/Application 302 and Client Application 308), a request calling an application (FIG. 3, HTTP Request 320, ¶0088, Proxy 304 receiving a request; ¶0003, wherein the request calls for a server application) with a service in a cloud environment; (¶0032, wherein the server application has a service, i.e. application the client contacts; ¶0071, wherein processes is provided within a cloud)
receiving, by the gateway and from the cloud environment, (FIG. 1, Data Processing Environment 100, ¶0071, comprising a cloud) a response to the request, (FIG. 3, HTTP Response 322, ¶0090, receiving the response to the request) wherein the response comprises a Content-Type response header; (FIG. 5A, 508, ¶0097, wherein the response comprises a content type response header) 
determining, by the gateway, that the request comprises presence of a User-Agent request header, (FIG. 5A, User-Agent Header 503; ¶0054, the proxy analyzing the request header; ¶0096, wherein to analyze request determines the included user-agent request header) wherein the presence of a User-Agent request header indicates that the requestor is configured to interpret a security header; (¶0002, wherein a request header includes a section identifying data needed, which indicates the ability to read relevant security headers) 
determining, by the gateway, that the Content-Type response header is set in the request; (FIG. 5A, Content-Type Header 508, ¶0090, wherein the content-type response header is located, i.e. set, within the request) 
determining, by the gateway, that a type setting of the Content-Type response header indicates HTML content; (FIG. 5A, Content-Type Header 508, ¶0090, wherein the content-type response header indicates “text/html” content) and 
returning, by the gateway, the response to the request. (FIG. 3, Modified HTTP Response 330, ¶0091, returning the modified response)
However, Santelia does not explicitly teach based on the type setting of the Content-Type response header and to satisfy application-specific requirements of the application, 
adding, by the gateway and according to a security standard, the security header to the response to secure the application; and 
overruling, by the gateway and using the security standard, default security settings of the gateway.
From a related technology, Bush teaches based on a type setting of the Content-Type response header (Col. 10, Lines 23-35, based on the nature of the job, i.e. a type setting of a Content-Type response header) and to satisfy application-specific requirements of the application, (Examiner notes that “to satisfy application-specific requirements of the application” comprises an intended use statement and does not have patentable weight) adding, by the gateway and according to a security standard, the security header to the response to secure the application; (Col. 11, Lines 43-56, adding to the header to specify the security standard for securing the application) and 
overruling, by the gateway and using the security standard, default security settings of the gateway. (FIG. 4, Col. 11, Lines 3-11, overriding default security setting using the security standard for use by the gateway, security manager 410)
It would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Santelia to incorporate the security setting techniques described in Bush in order to more effectively ensure network security. 

Claims 8 and 15 are rejected by Santelia in view of Bush as described for Claim 1. 

4.	Claims 4, 11, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Santelia et al. (US 20200169536 A1) in view of Bush et al. (US 9800474 B1) and Berry (US 20040205249 A1).

Claim 4	Santelia in view of Bush teaches Claim 1, but does not explicitly teach in response to determining that the type setting of the Content-Type response header does not indicate the HTML content, returning the response responsive to the request without the security header. 
From a related technology, Berry teaches in response to determining that the type setting of the Content-Type response header does not indicate the HTML content, returning the response responsive to the request without the security header. (In Berry, upon determining and examining the content-type response header 125 [0025], the content type 202 which indicates the content-type in the response header 125 includes a list of content types such as text/css which indicates Cascading Style Sheet content, and other content types include JavaScript and jpg (Figure 2). Therefore, the determined content type 202 in the content-type response header may indicate any other content type other than the text/html when processing the HTTP response)
It would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Santelia to incorporate the compression techniques utilized in Berry in order to enable users to see compressed pages faster. (Berry, ¶0005)

Claims 11 and 18 are taught by Santelia in view of Bush and Berry as described for Claim 4. 

5.	Claims 5-6, 12-13 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Santelia et al. (US 20200169536 A1) in view of Bush et al. (US 9800474 B1) and Vanunu (US 20160381061 A1).

Claim 5	Santelia in view of Bush teaches Claim 1, and further teaches wherein the gateway is an ingress gateway, (Santelia, FIG. 3) wherein the ingress gateway processes all outgoing responses to a plurality of users. (Santelia, FIG. 3, wherein the client side proxy processes all the outgoing responses)
However, Santelia in view of Bush does not explicitly teaches wherein the gateway is a gateway of a cloud environment, wherein the cloud environment comprises a plurality of applications and a plurality of application proxies. 
From a related technology, Vanunu teaches wherein a gateway is a gateway of a cloud environment, (¶0035, a gateway processing all web traffic between a web server and client for a cloud computing environment) wherein the cloud environment comprises a plurality of applications (¶0004, wherein the web servers comprises a plurality of applications) and a plurality of application proxies. (FIG. 1, Web Application Hardening Proxy 120, ¶0036 HTTP Proxying Module 260, ¶0042)
It would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to further modify the teachings of Santelia to incorporate the plurality of web application and proxies provided in the system of Vanunu in order to provide the user with the exponentially growing amount of applications available while protecting them from the numerous web vulnerabilities that may be present. (Vanunu, ¶0002)

Claims 12 and 19 are taught by Santelia in view of Vanunu as described for Claim 5. 

Claim 6	Santelia in view of Bush and Vanunu teaches Claim 5, and further teaches determining that the response does not comprise an application-specific header, (Vanunu, FIG. 6, step 605, ¶0051, determining whether the response includes a security header, for example, a X-XSS-Protection HTTP header) wherein the application-specific header is set by an application of the plurality of applications or an application proxy of the plurality of application proxies; (Vanunu, ¶0051, wherein HTTP proxying module 260 sets the application-specific header, Examiner notes this element establishes who sets the application specific header, but does not establish a method step) and 
in response to determining that the response does not comprise the application-specific header, adding a security header to the response (Vanunu, FIG. 6, step 610, ¶0051, adding a security header in response to determining the application specific header is not present, for example adding the X-XSS-Protection HTTP Header)

Claim 13 is taught by Santelia in view of Bush and Vanunu as described for Claim 6.

6.	Claims 7, 14, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Santelia et al. (US 20200169536 A1) in view of Bush et al. (US 9800474 B1) and Nagai (US 2004021573).

Claim 7	Santelia in view of Bush teaches Claim 1, but does not explicitly teach in response to determining that the request does not comprise the User-Agent request header, returning the response without the security header.
From a related technology, Nagai teaches in response to determining that the request does not comprise the User-Agent request header, returning the response without the security header. (Nagai, FIG. 6, ¶0068, further teaches that when the HTTP request does not include a user-agent header, the HTTP response is sent without including the content, Examiner notes that this would be without any added security header)

Claim 14 and 20 are taught by Santelia in view of Bush and Nagai as described for Claim 7. 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER PALACA CADORNA whose telephone number is (571)270-0584. The examiner can normally be reached M-F 10:00-7:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William Trost can be reached on (571) 272-7872. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHRISTOPHER P CADORNA/Examiner, Art Unit 2442                                                                                                                                                                                                        
/WILLIAM G TROST IV/Supervisory Patent Examiner, Art Unit 2442