The fact that it won't improve security, since you'll still have token in this HTML and it's pretty much the same. Not to mention that token is valid for max 1 hour. But why aren't you using usual proxy setup that just stores credentials on the reverse proxy side and credentials are never exposed to the end user?
Also since 7.11 you'll be able to use anonymous access instead of Kibana + reverse proxy.
Best,
Oleg