I hadn’t looked at HTTP Public Key Pinning (HPKP) in detail at until Pokemon Go vs. Certificate Pinning, and later realized how bad things could get with HPKP and RansomPKP. Now, as I read I’m giving up on HPKP from Scott Helme (@Scott_Helme) I think I agree with this statement:
The problem with HPKP is that it can be quite a complex idea to get your head around and requires a perfect deployment otherwise things can go wrong.
So, what instead? Maybe use Certificate Authority Authorization (CAA), which is a DNS record that lists the Certificate Authorities (CAs) which are permitted to issue certificates for your domain. Luckily for our AWS based projects, Amazon Route 53 now supports CAA records.