How do you secure APIs against automated credential stuffing attacks, and what rate-limiting strategies would you recommend?