Hm, I would not do it. You should do security testing against a hardened publish instance (with dispatcher in front of it), following the AEM security checklist (see ). That's the typical threat scenario.
The /bin/receive servlet is normally (if you implement the security checklist) not reachable from the internet.
Instead of disabling basic auth on publish, just don't include Authorization header in the /clientheaders config of the dispatcher configuration. That effectively prevents basic auth from the outside world.