Under normal php installations, the fact that all web processes run as the same user can present a security concern. Because the web server process needs to read the database connection information, any php script hosted on the web server is capable of reading the info. As a result, Maia should not be installed on a web server where php scripts can be installed by users not authorized for Maia admin access. Even with safe mode enabled, it may be possible to create session cookie attacks to gain access to the the hosted Maia application (or other web apps). In short, keep your critical web applications on a dedicated server away from any virtual hosting.

Placing the Maia web pages under SSL control is encouraged, to protect usernames and passwords while in transit to the Maia server. If Maia detects an HTTPS session, it will specify a secure session cookie, which will only be returned by web browsers via https connections. (Since revision [1317]) This keeps the session cookie from being observable in transit.