[Calzifer]

It does, but express doesn't tell it directly in the docs.

Instead http://expressjs.com/en/4x/api.html#app.listen sends you to https://nodejs.org/api/http.html#http_server_listen which also won't give the answer but sends you to https://nodejs.org/api/net.html#serverlisten which at some points finally documents that default is 0.0.0.0.

Welcome to the JavaScript ecosystem :/

[throwitaway1123]

I wouldn't exactly call this a failure of the JS ecosystem. The Express documentation you've linked to mentions that the host is the (optional) second argument to the listen function:

> app.listen([port[, host[, backlog]]][, callback])

You literally just have to run:

  app.listen(3000, '127.0.0.1')

If you don't trust the network you're on you should just be explicit about which IP address you'd like to listen on.

[stevage]

That's a sensible default. It would be super frustrating if by default the web server you built couldn't be accessed by anyone else in your network.