The performance tests do not send atl security tokens because it would be a huge amount of work to do so. They do however send a header as above to disable the checks. This works on the assumption that users cannot modify the headers sent by the browser, from the browser or js.

Jira no longer respects this header, as such the performance tests are broken.