Common regex patterns
Battle-tested patterns for the things developers match every day. Every card has a
Test live button that opens the pattern in the tester with sample text —
and an honest note about what the pattern does not handle, because every regex is a trade-off.
Email address
/[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}/g Pragmatic everyday validation. Full RFC 5322 compliance needs a parser, not a regex.
URL (http/https)
/https?:\/\/[\w.-]+(?:\.[\w.-]+)+[\w\-._~:/?#[\]@!$&'()*+,;=%]*/g Matches http and https URLs including paths, query strings and fragments.
IPv4 address
/\b(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\b/g Validates each octet is 0–255 — plain \d{1,3} would accept 999.
Date (YYYY-MM-DD)
/\b\d{4}-(0[1-9]|1[0-2])-(0[1-9]|[12]\d|3[01])\b/g ISO 8601 dates with month 01–12 and day 01–31. Does not check month length or leap years.
Time (HH:MM 24h)
/\b([01]\d|2[0-3]):[0-5]\d\b/g 24-hour clock, 00:00 through 23:59.
Hex color
/#(?:[0-9a-fA-F]{3}|[0-9a-fA-F]{6})\b/g Both #abc shorthand and #aabbcc full form.
UUID (any version)
/\b[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\b/g The standard 8-4-4-4-12 hex layout. Generate some at uuidnow.com.
Slug (URL-friendly)
/^[a-z0-9]+(?:-[a-z0-9]+)*$/ Lowercase words separated by single hyphens — no leading/trailing/double hyphens.
International phone (E.164)
/\+[1-9]\d{6,14}/g The +country-code format used by SMS APIs like Twilio: + then 7–15 digits.
Strong password check
/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[^\w\s]).{8,}$/ Four lookaheads: lowercase, uppercase, digit, symbol — and at least 8 characters total.
Number with thousands separators
/\b\d{1,3}(?:,\d{3})+(?:\.\d+)?\b/g Matches 1,234 and 12,345,678.90 — not bare 1234.
HTML tag (for quick scraping)
/<([a-zA-Z][a-zA-Z0-9-]*)\b[^>]*>/g Opening tags with attributes, capturing the tag name. For real parsing use a DOM parser.
A word of caution
Validation regexes are gatekeepers, not guarantees: an email can match the pattern and still not exist.
Prefer permissive patterns plus a real check (send the email, ping the URL) over
ever-more-baroque regexes. And when a pattern must run on user input, test it against hostile strings in
the freeze-proof tester first — nested quantifiers have taken down production systems.