[1] A server uses it to deliver to the client (e.g. a web browser) a set of hashes of public keys that must appear in the certificate chain of future connections to the same domain name.
To combat this risk, the HTTPS web server serves a list of “pinned” public key hashes valid for a given time; on subsequent connections, during that validity time, clients expect the server to use one or more of those public keys in its certificate chain.
[2][3] The server communicates the HPKP policy to the user agent via an HTTP response header field named Public-Key-Pins (or Public-Key-Pins-Report-Only for reporting-only purposes).
[1] It expands on static certificate pinning, which hardcodes public key hashes of well-known websites or services within web browsers and applications.
During its peak adoption, HPKP was reported to be used by 3,500 of top 1 million internet sites, a figure that declined to 650 around the end of 2019.