diff -u b/core/modules/image/src/Controller/ImageStyleDownloadController.php b/core/modules/image/src/Controller/ImageStyleDownloadController.php
--- b/core/modules/image/src/Controller/ImageStyleDownloadController.php
+++ b/core/modules/image/src/Controller/ImageStyleDownloadController.php
@@ -107,9 +107,10 @@
       $valid &= $request->query->get(IMAGE_DERIVATIVE_TOKEN) === $image_style->getPathToken($image_uri);
     }
     if (!$valid) {
-      // Return 404 (not found) rather than 403 (access denied) since 404 may
-      // be cached and thus is better under DDOS attacks. It is also likely to
-      // be more accurate if an image token is not valid.
+      // Return a 404 (Page Not Found) rather than a 403 (Access Denied) as the
+      // image token is for DDoS protection rather than access checking. 404s
+      // are more likely to be cached (e.g. at a proxy) which enhances
+      // protection from DDoS.
       // @see https://www.drupal.org/node/2211429
       throw new NotFoundHttpException();
     }