Currently in Vapor 3, the app boots up listening to connections on 127.0.0.1. Whilst this is fine for development locally, there are numerous Discord/Stackoverflow/forums posts about not being able to access it when deployed/from a phone when testing. The original reason for this was security to lock it down by default.
Whilst I agree with the intentions, I think this has made it harder to get started and proved a common stumbling block for new users of Vapor. In Vapor 4, I propose we default to 0.0.0.0 to allow connections for all IP addresses. There is a small security downside (though for a web server framework this is more of an edge case than the normal use case) and this should really be handled in security groups/firewalls instead.