The security token here doesn't improve the security as the other requests that allow you to do the same thing aren't protected and I don't see why locking or draft creation should be subject of XSRF attacks.
