User registers account on a web app. Passwords are salted and hashed. But is it safe to check the password against the HIBP Pwned Passwords API, before salting and hashing it? Of course the app uses TLS.
So if the password is found on any breach - don't allow to register an account. If password not found in breach - salt it and store it in a database.
Same would apply if changing the password.
Have I Been Pwned? allows anyone to download the full database to perform the checks locally.
If that's not an option, using the API is safe, since it uses k-anonimity which allows you to perform the check without transmitting the full password / hash.
n and get 1/16^n of the whole database. So for the recommended n=5 and assuming one is fine with SHA-1 collisions, k would be ~ 1.4*10^42.
As of the posting of this answer, the question asks if it is safe to send a password "before salting and hashing it", which means in plaintext. You should never send a password in plaintext to a third party (second party may be OK if you are currently logging in). Even hashing the password is not enough, as a Rainbow Table can be used to look up the password. This is why when I saw someone (hashing and) sending every single password in a KeePass database to HIBP, I immediately called them out on it.
As other answers have pointed out, there is a new version of HIBP that includes k-anonymity (see that link and the other answers for more info). However, this is still divulging some information about the passwords (to HIBP, and any potential MITM attacker. Divulging some information is nowhere near as bad as leaking the entire password, but is still something you should be concerned about. What you really want is your passwords to be secure, not anonymous.
Ultimately, if you want to ensure that no information about your passwords is leaked in the checking process, you have to download the entire DataBase of pwned passwords, and hash and check your password locally (in this case, on the server because noone wants to download the entire DB just to create an account). Just don't store the password or the hash you are comparing to the DB anywhere, only store the salted hash in your actual password database.
If the operator of the Pwned Passwords API is malicious (or the service is hacked by a malicious person, or someone intercepts your communication) it can lie about certain passwords (only return a subset of passwords it knows for that hash), record where the request came from, identify the website belonging to that ID, identify the account (based on creation time, for example) and test it with the passwords it lied about, for a decent chance of account compromise.
This is a fairly unlikely scenario (the owner of the API is a respectable security professional, the list of known hashes is public, and doing this kind of attack without being detected would be hard), so it depends on how risk-averse you are. If you run a discussion board, using the API is definitely a good idea. If you run an e-bank, maybe not so much.
Downloading the database and doing the checks locally is of course safer, but not a trivial task, given the size.
abc123? Even "safe" and KeePass'd passwords might have been pwned. Why not provide a password strength meter?Password123$!is a presumably a strong but crap password as well but it has not been pwned. I am not saying that the HIBP is useless but OP's planned implementation will lead to frustration, forgotten passwords, sticky-note passwords, and flat out finding a different provider of the same service.