What security controls would you put in place to protect an API gateway from distributed denial-of-service (DDoS) and credential stuffing attacks?