There's a protocol that defending Man-In-The-Middle attack over https, called [HPKP](
https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning).
This is done by adding a certification hash value in the HTTP response header, and the browser will record this hash in a specified period.