Common regex patterns

Battle-tested patterns for the things developers match every day. Every card has a Test live button that opens the pattern in the tester with sample text — and an honest note about what the pattern does not handle, because every regex is a trade-off.

Email address

/[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}/g

Pragmatic everyday validation. Full RFC 5322 compliance needs a parser, not a regex.

▶ Test live

URL (http/https)

/https?:\/\/[\w.-]+(?:\.[\w.-]+)+[\w\-._~:/?#[\]@!$&'()*+,;=%]*/g

Matches http and https URLs including paths, query strings and fragments.

▶ Test live

IPv4 address

/\b(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\b/g

Validates each octet is 0–255 — plain \d{1,3} would accept 999.

▶ Test live

Date (YYYY-MM-DD)

/\b\d{4}-(0[1-9]|1[0-2])-(0[1-9]|[12]\d|3[01])\b/g

ISO 8601 dates with month 01–12 and day 01–31. Does not check month length or leap years.

▶ Test live

Time (HH:MM 24h)

/\b([01]\d|2[0-3]):[0-5]\d\b/g

24-hour clock, 00:00 through 23:59.

▶ Test live

Hex color

/#(?:[0-9a-fA-F]{3}|[0-9a-fA-F]{6})\b/g

Both #abc shorthand and #aabbcc full form.

▶ Test live

UUID (any version)

/\b[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\b/g

The standard 8-4-4-4-12 hex layout. Generate some at uuidnow.com.

▶ Test live

Slug (URL-friendly)

/^[a-z0-9]+(?:-[a-z0-9]+)*$/

Lowercase words separated by single hyphens — no leading/trailing/double hyphens.

▶ Test live

International phone (E.164)

/\+[1-9]\d{6,14}/g

The +country-code format used by SMS APIs like Twilio: + then 7–15 digits.

▶ Test live

Strong password check

/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[^\w\s]).{8,}$/

Four lookaheads: lowercase, uppercase, digit, symbol — and at least 8 characters total.

▶ Test live

Number with thousands separators

/\b\d{1,3}(?:,\d{3})+(?:\.\d+)?\b/g

Matches 1,234 and 12,345,678.90 — not bare 1234.

▶ Test live

HTML tag (for quick scraping)

/<([a-zA-Z][a-zA-Z0-9-]*)\b[^>]*>/g

Opening tags with attributes, capturing the tag name. For real parsing use a DOM parser.

▶ Test live

A word of caution

Validation regexes are gatekeepers, not guarantees: an email can match the pattern and still not exist. Prefer permissive patterns plus a real check (send the email, ping the URL) over ever-more-baroque regexes. And when a pattern must run on user input, test it against hostile strings in the freeze-proof tester first — nested quantifiers have taken down production systems.