Regex Cheat Sheet: The Only Guide You'll Ever Need
The definitive regex cheat sheet organized by real-world tasks. Email validation, URL parsing, phone numbers, password rules, and more — with interactive examples you can test instantly.
In This Article
Why Every Developer Needs a Regex Reference
Regular expressions are one of those skills that every developer uses but nobody fully memorizes. You write a regex to validate an email, it works, you move on. Three months later you need another one, and you are back on Google searching "regex for phone number" again.
This cheat sheet is designed to end that cycle. Instead of organizing patterns by abstract syntax rules (character classes, quantifiers, anchors), we organize them by what you actually need to do: validate an email, extract a URL, parse a log file, enforce a password policy.
Every pattern in this guide can be tested instantly in our Regex Tester — paste the pattern, throw in your test string, and see matches highlighted in real time.
This cheat sheet was born from our own team's frustration. We kept a shared Google Doc of regex patterns that grew to 200+ entries over two years. Eventually we turned it into this organized reference and built the Regex Tester alongside it so we could verify patterns without switching to a terminal. Over 3,000 patterns have been tested through our tool since launch — the ones in this guide are the patterns that get used most.
Basic Building Blocks
Before diving into real-world patterns, here is the foundation:
Anchors: ^ matches the start of a string. $ matches the end. Use both together (^pattern$) to match the entire string.
Character Classes: \d matches any digit (0-9). \w matches word characters (letters, digits, underscore). \s matches whitespace (space, tab, newline). Capitalize any of these (\D, \W, \S) to match the opposite.
Quantifiers: * means zero or more. + means one or more. ? means zero or one. {3} means exactly 3. {2,5} means 2 to 5. {3,} means 3 or more.
Groups: (abc) captures a group. (?:abc) groups without capturing. (a|b) matches a or b.
Lookaheads: (?=...) positive lookahead (must be followed by). (?!...) negative lookahead (must NOT be followed by).
Email Validation
The simple version that works for 99% of cases:
Pattern: ^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$
This matches: user@example.com, first.last@company.co.uk, user+tag@gmail.com. It rejects: @missing-local.com, user@, user@.com, user@com.
The truth is, perfectly validating email via regex is technically impossible (the RFC 5322 spec is absurdly complex). But this pattern catches the vast majority of real-world typos and malformed inputs. For production apps, combine this with an actual email verification step.
URL and Domain Patterns
Match URLs (HTTP/HTTPS):
Pattern: https?:\/\/[\w\-]+(\.[\w\-]+)+[\/\w\-._~:?#\[\]@!$&'()*+,;=]*
Extract domain from URL: https?:\/\/([^\/\s]+)
Match IP addresses (IPv4): ^(\d{1,3}\.){3}\d{1,3}$
Validate a domain name: ^([a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$
These patterns handle the most common URL formats. For edge cases (internationalized domains, IPv6), you will need more complex patterns or a dedicated URL parser library.
Phone Numbers
US phone numbers (flexible format):
Pattern: ^\+?1?[-.\s]?\(?\d{3}\)?[-.\s]?\d{3}[-.\s]?\d{4}$
This matches: (555) 123-4567, 555-123-4567, 5551234567, +1 555 123 4567, 1-555-123-4567.
International (E.164 format): ^\+[1-9]\d{6,14}$
Extract any phone-like number from text: \+?\d[\d\s()-]{7,}\d
Phone number validation is notoriously locale-specific. For production use, consider libraries like libphonenumber. But for form-level validation to catch typos, these patterns work well.
Password Strength Rules
Minimum 8 characters, at least one uppercase, one lowercase, one digit:
Pattern: ^(?=.*[a-z])(?=.*[A-Z])(?=.*\d).{8,}$
Add special character requirement: ^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&]).{8,}$
No consecutive identical characters: ^(?!.*(.)\1{2})
These use lookaheads — they check conditions without consuming characters. Each (?=.*X) says "somewhere in the string, X must exist." The .{8,} at the end enforces minimum length.
Use our Password Generator to create passwords that pass any strength regex you define.
Data Extraction Patterns
Extract dates (MM/DD/YYYY or DD/MM/YYYY): (\d{1,2})[\/\-](\d{1,2})[\/\-](\d{2,4})
ISO date format: \d{4}-\d{2}-\d{2}(T\d{2}:\d{2}:\d{2})?
Extract hex colors: #([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})
Match JSON keys: "([^"]+)"\s*:
Extract HTML tags: <([a-zA-Z][a-zA-Z0-9]*)\b[^>]*>
Match credit card numbers (any format): \b\d{4}[- ]?\d{4}[- ]?\d{4}[- ]?\d{4}\b
Match UUID: [0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}
All of these can be tested and refined in our Regex Tester with real-time match highlighting.
Search and Replace Patterns
Remove all HTML tags: <[^>]+> replace with empty string.
Convert camelCase to kebab-case: ([a-z])([A-Z]) replace with $1-$2, then lowercase. This turns backgroundColor into background-color.
Remove duplicate whitespace: \s{2,} replace with a single space.
Remove trailing whitespace per line: [ \t]+$ replace with empty string.
Swap first and last name: ^(\w+)\s+(\w+)$ replace with $2 $1. This turns "John Smith" into "Smith John" using capture group references.
These patterns are incredibly useful in our Code Formatter when cleaning up source files.
Log Parsing and Debugging
Match Apache log lines: ^(\S+) \S+ \S+ \[([^\]]+)\] "(\S+) (\S+) \S+" (\d+) (\d+)
Extract stack trace file paths: at\s+.*\((.+):(\d+):(\d+)\)
Match ISO timestamps in logs: \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}
Filter log levels: \b(ERROR|WARN|FATAL|CRITICAL)\b
Extract key-value pairs: (\w+)=(\S+)
These are daily tools for any developer debugging production issues. Paste your log output into our Regex Tester, apply the pattern, and instantly see what gets captured.
Common Mistakes and How to Avoid Them
Greedy vs Lazy: .* is greedy — it matches as much as possible. .*? is lazy — it matches as little as possible. When extracting content between quotes, use "([^"]*)" or "(.*?)" instead of "(.*)".
Forgetting to escape special characters: . matches ANY character, not a literal dot. Use \. for a literal dot. Same for \(, \), \[, \], \{, \}, \+, \*, \?, \^, \$, \|, \\.
Catastrophic backtracking: Patterns like (a+)+ on a long string of "a"s can freeze your browser. Avoid nested quantifiers on the same character. Use atomic groups or possessive quantifiers when available.
Not anchoring when you should: Without ^ and $, your pattern matches substrings. ^\d{3}$ matches "123" but not "abc123def". \d{3} without anchors matches the "123" inside "abc123def".
Test early and often — our Regex Tester shows matches in real time as you type, helping you catch these issues before they reach production.