Three Simple Practices for API Security