HSTS
Damn. A Brazilian certificate authority trusted only by Microsoft has issued a presumably-unauthorized certificate for google.com: https://follow.agwa.name/notice/AoZSMI38xcA3TrN1sm
All security practices in the world are useless if one of the most visited sites such as Google gets a unauthorized TLS certificate issued. How this still exists in 2024 is beyond me.
Discussion
And CAA DNS record
Maybe you've meant HPKP?
I meant https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
But actually it should be using a CAA DNS record to set which CA is allowed to sign certificates for the domain.