mrXmr I would definitely recommend setting up HTTPS, as well as www or no-www redirects first, and then proceed with the installation. This removes the need to edit config.php afterwards.
If you are accessing the installer from an untrusted network, they will indeed be able to see your admin password and database password. Usually the database shouldn't be accessible from the wide internet so leaking the password shouldn't be an immediate cause for concern. The Flarum admin username and password however should be changed once the website is correctly configured if they were sent over HTTP. It's not just the credentials themselves, it's also the cookie of the admin session that would be leaked over HTTP, and changing the password should ensure the cookie gets invalidated. You could also terminate all sessions from the preferences > security page.
The same is true for the email credentials if you also enter those in the admin panel before configuring HTTPS.
Unless you are doing this over a public (hotel, restaurant, etc.) network I wouldn't be too concerned though... I would guess most of the credential stealing nowadays happens directly on a victim's computer via malware so no amount of encryption will save you from credentials and cookie theft if you are already infected.
If you are going to install a forum over a public untrusted connection I would suggest using a VPN in any case, it's not going to use a lot of bandwidth but you don't need anyone spying on you. In an extreme case if not using a VPN, even when using HTTPS a bad actor could lookup the domain, delay your request, access the installer script before you do and enter other information in the form. They wouldn't know the password for any valid database though so unlikely to complete the Flarum install, but still something that could technically happen.
