It looks like you are trying to implement Cross-Site Request Forgery protection, in which you need to make sure that the request came from the HTML delivered from your web server. Do not rely on the referrer header for this, as it is often shared in firewalls and can be manipulated.
See OWASP for some good sources on how to implement such protection. This basically happens as follows:
Create a secure random value and paste it into the user session
For each HTML form, include this value as a hidden value ()
Whenever a POST request is returned to your server, check that the value from the hidden field matches the value in the user session. Reject the request if it is not.
Because a unique user is unique to each user, an attacker cannot simply fake a form with pre-populated values and trick a user into sending it automatically using javascript. The request will be rejected because the attacker will not know what value to include for the hidden field in its fake form.