Very nice solution. Using .env variables makes it even more secure and allows flexible per-server configuration.
The only concern I’ve gotten on top of my mind, .env might already exist in the root folder of your project. Like, latest Symfony framework has it, or Golang also relies on .env file to specify the variables. But I’ve met many other examples.
Thus, my suggestion here is to first check if the file doesn’t exist yet, otherwise your JS script might erase existing variables used by another part of your non-js-only app.