The "hacker" you're concerned about doesn't need to modify your files, your customers' files, or even their browser's variables. They need only set the Referer header, which is trivial to do.
In order for the file you're talking about to be written, the customer's customer (or the "hacker") must interact somehow with your customer's website before using your API. The file will be written, and to your server, it will look like the request was valid.

I hate to be a killjoy, but it's impossible to completely restrict the web. The only way to prevent your API from being called by someone you didn't intend for is to let only your customers directly access it, and to not do things in the browser.

This is not a Perl problem. It's the same for any web application environment.