Is there a “perfect” email regex?

No. RFC-valid email syntax is extremely broad. Use a pragmatic regex for UI and confirm delivery or validate server-side.

Should I parse URLs with regex?

Prefer a URL parser (new URL() in JS, standard libraries). Regex is acceptable for quick checks like protocol and basic structure.

How do I avoid catastrophic backtracking?

Use specific classes instead of .*, anchor patterns, avoid nested quantifiers, and consider atomic groups or possessive quantifiers where supported.

Can I validate internationalized domain names (IDN)?

Yes, but convert to Punycode or use libraries; strict regex alone is brittle for IDN edge cases.

March 3, 2025 7 min read

Regex for Everyday Tasks: 12 Copy-Paste Patterns

Stop hunting for snippets. Here are 12 practical regex patterns for web and backend work — with safe defaults, notes for JavaScript/Python/PCRE, and pitfalls to avoid. Test any pattern instantly in our Regex Tester.

How to use these patterns (and what they’re for)

These regexes are pragmatic: simple enough to maintain, strict enough to be useful. Use them for client-side hints and quick filters. For security-critical validation (e.g., email delivery, URL parsing), combine regex with real parsers or API checks.

1) Email (pragmatic)

/^[^\s@]+@[^\s@]+\.[^\s@]{2,}$/i

Good balance for UI. Allows unicode if your input is UTF-8 and browser supports it. For production, attempt delivery or use a library for full RFC compliance.

2) URL (http/https only)

/^(https?:\/\/)([\w\-]+(\.[\w\-]+)+)(:[0-9]{2,5})?(\/[^\s?#]*)?(\?[^\s#]*)?(#\S*)?$/i

Covers protocol, host, optional port, path, query, hash. Prefer native parsers (new URL() in JS) for critical logic.

3) Phone (E.164 international)

/^\+?[1-9]\d{1,14}$/

Digits only, optional +, up to 15 digits. Use a phone library for formatting/region rules.

4) IPv4

/^(?:(?:25[0-5]|2[0-4]\d|1?\d?\d)\.){3}(?:25[0-5]|2[0-4]\d|1?\d?\d)$/

Validates each octet to 0–255.

5) Hex color (#RGB or #RRGGBB)

/^#(?:[0-9a-fA-F]{3}|[0-9a-fA-F]{6})$/

Add 8 or 4 hex for alpha if needed.

6) ISO date (YYYY-MM-DD)

/^\d{4}-(0[1-9]|1[0-2])-(0[1-9]|[12]\d|3[01])$/

Checks month/day ranges; doesn’t handle leap years — validate with a date library after match.

7) 24-hour time (HH:MM)

/^([01]\d|2[0-3]):[0-5]\d$/

Extend to seconds with :[0-5]\d.

8) URL slug (lowercase-kebab)

/^[a-z0-9]+(?:-[a-z0-9]+)*$/

No leading/trailing hyphen; no consecutive hyphens.

9) UUID v4

/^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i

Ensures version 4 and valid variant.

10) Password (at least 8, upper+lower+digit+symbol)

/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[^A-Za-z0-9]).{8,}$/

For real security, favor length (12–16+) and use a breach-check API on the server.

11) Currency / price (optional symbol, 2 decimals)

/^[\$€£]?(\d{1,3}(?:,\d{3})*|\d+)(?:\.\d{2})?$/

UI helper only. For accounting, parse numbers by locale and store as integer cents.

12) ISO 8601 datetime (YYYY-MM-DDTHH:MM[:SS]Z?)

/^\d{4}-(0[1-9]|1[0-2])-(0[1-9]|[12]\d|3[01])T([01]\d|2[0-3]):[0-5]\d(?::[0-5]\d)?(Z|[+-][01]\d:[0-5]\d)?$/

Covers basic forms. Use a date library for full timezone/edge-case support.

Engine differences & safety tips

JavaScript: No lookbehinds in older browsers. Modern engines support them; test in your target.
Python/PCRE: Use raw strings in Python: r"^\d+$" to avoid escape hell.
Unicode: Add u flag (JS) and consider \p{L}/\p{N} for unicode letters/digits if supported.
ReDoS: Keep patterns linear; avoid catastrophic backtracking (nested .* with ambiguity). Prefer atomic groups/possessive quantifiers where available.
Anchors: Use ^...$ to avoid matching unwanted substrings in validation contexts.
Escaping: Build regex from constants; never interpolate untrusted user data directly into a pattern.

URL Encoding Explained (with Real Examples)

Merge & Split PDFs Like a Pro (Without Watermarks)