diff --git a/core/modules/serialization/src/EventSubscriber/DefaultExceptionSubscriber.php b/core/modules/serialization/src/EventSubscriber/DefaultExceptionSubscriber.php
index 5774a31..c111640 100644
--- a/core/modules/serialization/src/EventSubscriber/DefaultExceptionSubscriber.php
+++ b/core/modules/serialization/src/EventSubscriber/DefaultExceptionSubscriber.php
@@ -8,7 +8,7 @@
 use Symfony\Component\Serializer\SerializerInterface;
 
 /**
- * Exception subscriber for handling default  error responses in serialization formats.
+ * Exception subscriber for handling default error responses in serialization formats.
  */
 class DefaultExceptionSubscriber extends HttpExceptionSubscriberBase {
 
@@ -106,6 +106,16 @@ public function on406(GetResponseForExceptionEvent $event) {
   }
 
   /**
+   * Handles a 429 error for HTTP.
+   *
+   * @param \Symfony\Component\HttpKernel\Event\GetResponseForExceptionEvent $event
+   *   The event to process.
+   */
+  public function on429(GetResponseForExceptionEvent $event) {
+    $this->setEventResponse($event, Response::HTTP_TOO_MANY_REQUESTS);
+  }
+
+  /**
    * Sets the Response for the exception event.
    *
    * @param \Symfony\Component\HttpKernel\Event\GetResponseForExceptionEvent $event
diff --git a/core/modules/user/src/Controller/UserAuthenticationController.php b/core/modules/user/src/Controller/UserAuthenticationController.php
index 4e7d784..c8644f6 100644
--- a/core/modules/user/src/Controller/UserAuthenticationController.php
+++ b/core/modules/user/src/Controller/UserAuthenticationController.php
@@ -18,7 +18,7 @@
 use Symfony\Component\Serializer\Serializer;
 
 /**
- * Provides controllers for login, login status and logout.
+ * Provides controllers for login, login status and logout via HTTP requests.
  */
 class UserAuthenticationController extends ControllerBase implements ContainerInjectionInterface {
 
@@ -76,7 +76,7 @@ class UserAuthenticationController extends ControllerBase implements ContainerIn
    *
    * @var array
    */
-  protected $serializerFormats = array();
+  protected $serializerFormats = [];
 
   /**
    * Constructs a new UserAuthenticationController object.
@@ -276,7 +276,7 @@ protected function getRequestFormat(Request $request) {
   protected function floodControl(Request $request, $username) {
     $flood_config = $this->config('user.flood');
     if (!$this->flood->isAllowed('user.failed_login_ip', $flood_config->get('ip_limit'), $flood_config->get('ip_window'))) {
-      throw new AccessDeniedHttpException('Access is blocked because of IP based flood prevention.', NULL, 403);
+      throw new AccessDeniedHttpException('Access is blocked because of IP based flood prevention.', NULL, Response::HTTP_TOO_MANY_REQUESTS);
     }
 
     if ($identifier = $this->getLoginFloodIdentifier($request, $username)) {
@@ -284,12 +284,12 @@ protected function floodControl(Request $request, $username) {
       // Default is to allow 5 failed attempts every 6 hours.
       if (!$this->flood->isAllowed('user.http_login', $flood_config->get('user_limit'), $flood_config->get('user_window'), $identifier)) {
         if ($flood_config->get('uid_only')) {
-          $error_message = $this->formatPlural($flood_config->get('user_limit'), 'There has been more than one failed login attempt for this account. It is temporarily blocked. Try again later or request a new password.', 'There have been more than @count failed login attempts for this account. It is temporarily blocked. Try again later or request a new password.');
+          $error_message = sprintf('There have been more than %s failed login attempts for this account. It is temporarily blocked. Try again later or request a new password.', $flood_config->get('user_limit'));
         }
         else {
-          $error_message = $this->t('Too many failed login attempts from your IP address. This IP address is temporarily blocked.');
+          $error_message = 'Too many failed login attempts from your IP address. This IP address is temporarily blocked.';
         }
-        throw new AccessDeniedHttpException($error_message, NULL, 403);
+        throw new AccessDeniedHttpException($error_message, NULL, Response::HTTP_TOO_MANY_REQUESTS);
       }
     }
   }
@@ -313,15 +313,14 @@ protected function getLoginFloodIdentifier(Request $request, $username) {
         // Register flood events based on the uid only, so they apply for any
         // IP address. This is the most secure option.
         $identifier = $account->id();
-        return $identifier;
       }
       else {
         // The default identifier is a combination of uid and IP address. This
         // is less secure but more resistant to denial-of-service attacks that
         // could lock out all users with public user names.
         $identifier = $account->id() . '-' . $request->getClientIp();
-        return $identifier;
       }
+      return $identifier;
     }
     return '';
   }