HTTP_REFFERER is not security, its far from it. It is sent from the users computer to your server, this means that the user can change the value to what they want. I could bypass your "security" with one line in PHP_Curl, so you asked a good quesiton.
The easy'ist way is to provide a SESSION TOKEN when they visit the valid calling page, then on the JSON script check that the TOKEN is still valid.
You could also on the calling page, send a "key" via the URL request and check that its valid. This "key" changes every 24 hours, so if someone does game your system it will be a bit more of a pain.
You could run an IP check (though not advisable).
Encode the JSON and Decode it on calling page?
The best solution is not to secure the data, as everything is breakable and your just delaying the inevitable, if someone wants it and are determined they could get it.
This is incorrect, the only need to visit the homepage (calling page) give them the session, then check it on the JSON request.