Use certificates that specify OCSP Must-Staple
The Qualys SSL Server Test shows that haveibeenpwned.com uses certificates that do not specify OCSP Must-Staple. When you replace these certificates near their expiry date, please get certificates that specify OCSP Must-Staple. Scott Helme has a good article on why OCSP Must-Staple is important.
TLS termination is done at Cloudflare and this is not a configurable attribute. It poses a minor risk hence the A+ SSL Labs rating HIBP receives.
That's correct, not without paying a premium. Besides, I've no reason to want to do that.
Kenneth Barber commented
You can't choose the certificates that your website uses?