The JSON endpoint will be requested by frontend using a JWT that
Atlassian provides via Javascript. This JWT will likely use a
context-qsh because Atlassian don't know for which
endpoint it will be used.

Read more about context JWT here:
https://developer.atlassian.com/cloud/jira/platform/understanding-jwt-for-connect-apps/

This is the second attempt to add this change. The first one
(https://gitlab.com/gitlab-org/gitlab/-/merge_requests/83836)
got reverted after an incident
(https://gitlab.com/gitlab-com/gl-infra/production/-/issues/6774)

This problem was fixed in this commit by only verifying qsh on the
index action.