Which security measure binds a TLS certificate to a specific key to prevent MITM attacks?

Certificate pinning binds a TLS certificate (or its public key) to a specific client, so during the TLS handshake the client will only trust the server if the presented certificate/public key matches the pinned value. This creates a direct check that the server you’re talking to is the one you expect, blocking a man-in-the-middle even if a malicious actor somehow obtains a valid certificate from a compromised certificate authority. The other options don’t enforce this strict one-to-one binding: hardening TLS versions reduces protocol flaws but doesn’t verify the server’s identity against a known key; certificate transparency logs help detect misissuances after the fact but don’t prevent an active MITM; and choosing stronger cipher suites affects cryptography choices but not the server’s identity binding. Pinning gives a concrete defense by tying the trusted server identity to a specific certificate or key on the client side. Be mindful that cert/ key rotations require updating pins to avoid legitimate connection failures.