WebListener is windows-only HTTP / Web Server for ASP.NET Core that allows you to expose the server directly to the Internet without needing to use IIS. WebListener is built on top of Http.Sys ( the same mature technology that also powers IIS’ HTTP Listener) as is as such very feature rich and provides protection against various attacks.
Kestrel on the other hand, is a cross-platform web server for ASP.NET Core that is designed to be run behind a proxy (for example IIS or Nginx) and should not be deployed directly facing the Internet. Kestrel is relatively new and does not have a full complement of defenses against attacks. It’s also not as feature rich as WebListener and comes with timeout limits, size limits and concurrent user limits.
Kestrel in general has better performance, if you used for one of the following below:
- Great option if used in conjunction with a reverse proxy for apps exposed to Internet
- Internal apps connecting with other internal apps on a private virtual network (not exposed to Internet)
WebListener is more secure, slower, and has more features. It is used in these cases:
- Expose app to the Internet but can’t use IIS Require higher security and exposing server directly to Internet.
- Additional features: List item, Windows Authentication, Port sharing, HTTPS with SNI, HTTP/2 over TLS (Windows 10), Direct file transmission, Response caching