diff --git a/core/modules/image/src/Controller/ImageStyleDownloadController.php b/core/modules/image/src/Controller/ImageStyleDownloadController.php
index 3e4bcf0..63eba40 100644
--- a/core/modules/image/src/Controller/ImageStyleDownloadController.php
+++ b/core/modules/image/src/Controller/ImageStyleDownloadController.php
@@ -102,9 +102,11 @@ public function deliver(Request $request, $scheme, ImageStyleInterface $image_st
     // generated without a token can set the
     // 'image.settings:allow_insecure_derivatives' configuration to TRUE to
     // bypass the latter check, but this will increase the site's vulnerability
-    // to denial-of-service attacks.
+    // site's vulnerability to denial-of-service attacks. To prevent this
+    // variable from leaving the site vulnerable to the most serious attacks, a
+    // token is always required when a derivative of a derivative is requested.
     $valid = !empty($image_style) && file_stream_wrapper_valid_scheme($scheme);
-    if (!$this->config('image.settings')->get('allow_insecure_derivatives')) {
+    if (!$this->config('image.settings')->get('allow_insecure_derivatives') || strpos(ltrim($target, '\/'), 'styles/') === 0) {
       $valid &= $request->query->get(IMAGE_DERIVATIVE_TOKEN) === $image_style->getPathToken($image_uri);
     }
     if (!$valid) {
diff --git a/core/modules/image/src/Entity/ImageStyle.php b/core/modules/image/src/Entity/ImageStyle.php
index 2e77f7f..1d15432 100644
--- a/core/modules/image/src/Entity/ImageStyle.php
+++ b/core/modules/image/src/Entity/ImageStyle.php
@@ -270,6 +270,13 @@ public function flush($path = NULL) {
    * {@inheritdoc}
    */
   public function createDerivative($original_uri, $derivative_uri) {
+
+    // If the source file doesn't exist, return FALSE without creating folders.
+    $image = \Drupal::service('image.factory')->get($original_uri);
+    if (!$image->isValid()) {
+      return FALSE;
+    }
+
     // Get the folder for the final location of this style.
     $directory = drupal_dirname($derivative_uri);
 
@@ -279,11 +286,6 @@ public function createDerivative($original_uri, $derivative_uri) {
       return FALSE;
     }
 
-    $image = \Drupal::service('image.factory')->get($original_uri);
-    if (!$image->isValid()) {
-      return FALSE;
-    }
-
     foreach ($this->getEffects() as $effect) {
       $effect->applyEffect($image);
     }