diff --git a/core/modules/image/config/install/image.settings.yml b/core/modules/image/config/install/image.settings.yml
index c92db4e155..9587642f13 100644
--- a/core/modules/image/config/install/image.settings.yml
+++ b/core/modules/image/config/install/image.settings.yml
@@ -1,3 +1,4 @@
 preview_image: core/modules/image/sample.png
 allow_insecure_derivatives: false
 suppress_itok_output: false
+allowed_insecure_styles: []
diff --git a/core/modules/image/config/schema/image.schema.yml b/core/modules/image/config/schema/image.schema.yml
index 5368f85f4c..e6b9f32342 100644
--- a/core/modules/image/config/schema/image.schema.yml
+++ b/core/modules/image/config/schema/image.schema.yml
@@ -93,6 +93,12 @@ image.settings:
     suppress_itok_output:
       type: boolean
       label: 'Suppress the itok query string for image derivatives'
+    allowed_insecure_styles:
+      type: sequence
+      label: 'Allow insecure derivates for these image styles'
+      sequence:
+        type: string
+        label: 'Image style'
 
 field.storage_settings.image:
   type: field.storage_settings.file
diff --git a/core/modules/image/src/Controller/ImageStyleDownloadController.php b/core/modules/image/src/Controller/ImageStyleDownloadController.php
index c943452b5b..a939609d16 100644
--- a/core/modules/image/src/Controller/ImageStyleDownloadController.php
+++ b/core/modules/image/src/Controller/ImageStyleDownloadController.php
@@ -128,9 +128,11 @@ public function deliver(Request $request, $scheme, ImageStyleInterface $image_st
     // The $target variable for a derivative of a style has
     // styles/<style_name>/... as structure, so we check if the $target variable
     // starts with styles/.
+    $image_config = $this->config('image.settings');
     $token = $request->query->get(IMAGE_DERIVATIVE_TOKEN, '');
     $token_is_valid = hash_equals($image_style->getPathToken($image_uri), $token);
-    if (!$this->config('image.settings')->get('allow_insecure_derivatives') || strpos(ltrim($target, '\/'), 'styles/') === 0) {
+    if ((!$image_config->get('allow_insecure_derivatives') || strpos(ltrim($target, '\/'), 'styles/') === 0)
+      && (empty($image_config->get('allowed_insecure_styles')) || !in_array($image_style->getName(), $image_config->get('allowed_insecure_styles')))) {
       $valid = $valid && $token_is_valid;
     }