+ // Return a 404 (Page Not Found) rather than a 403 (Access Denied) as the
+ // image token is for DDoS protection rather than access checking. 404s
+ // are more likely to be cached (e.g. at a proxy) which enhances
+ // protection from DDoS.
+ throw new NotFoundHttpException();