Regex Cheat Sheet 2026: Essential Patterns Every Developer Needs
Regular expressions are one of the most powerful tools in a developer's toolkit. This cheat sheet covers the fundamentals, the 10 most common patterns you will use in real projects, and the mistakes that trip up even experienced developers.
Regex Basics
Before diving into patterns, let us review the building blocks of regular expressions. Test any of these patterns live with our regex tester tool.
Character Classes
Character classes define sets of characters to match at a single position.
. Any character except newline
\d Digit (0-9)
\D Non-digit
\w Word character (a-z, A-Z, 0-9, _)
\W Non-word character
\s Whitespace (space, tab, newline)
\S Non-whitespace
[abc] Any of a, b, or c
[^abc] Not a, b, or c
[a-z] Any lowercase letter
[A-Z] Any uppercase letter
[0-9] Any digit (same as \d)Quantifiers
Quantifiers control how many times the preceding element must occur.
* Zero or more (greedy)
+ One or more (greedy)
? Zero or one (optional)
{3} Exactly 3 times
{3,} 3 or more times
{3,6} Between 3 and 6 times
*? Zero or more (lazy/non-greedy)
+? One or more (lazy/non-greedy)Anchors and Boundaries
Anchors match positions rather than characters.
^ Start of string (or line with m flag)
$ End of string (or line with m flag)
\b Word boundary
\B Non-word boundaryGroups and Alternation
(abc) Capturing group
(?:abc) Non-capturing group
(?<name>) Named capturing group
a|b Match a or b (alternation)
\1 Backreference to group 110 Most Common Regex Patterns
These are the patterns you will reach for again and again in real projects. Each one is tested and ready to use. Copy any pattern and try it in our regex tester to see it in action.
1. Email Address Validation
Validates common email formats with a local part, domain, and TLD. Covers most real-world addresses while keeping the pattern readable.
^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$Matches: user@example.com, first.last+tag@company.co.uk
2. URL Validation
Matches HTTP and HTTPS URLs with optional paths, query strings, and fragments.
^https?:\/\/(www\.)?[-a-zA-Z0-9@:%._+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_+.~#?&/=]*)$Matches: https://chromacreator.com/tools, http://example.com/path?q=test
3. US Phone Number
Matches US phone numbers in various common formats including optional country code.
^(\+1[-.\s]?)?\(?[0-9]{3}\)?[-.\s]?[0-9]{3}[-.\s]?[0-9]{4}$Matches: (555) 123-4567, +1-555-123-4567, 5551234567
4. Date (YYYY-MM-DD)
Validates ISO 8601 date format. Note that this pattern checks the format, not whether the date itself is valid (e.g., February 31st would pass).
^\d{4}-(0[1-9]|1[0-2])-(0[1-9]|[12]\d|3[01])$Matches: 2026-03-01, 2026-12-31
5. IPv4 Address
Validates IPv4 addresses with proper octet ranges (0-255).
^((25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(25[0-5]|2[0-4]\d|[01]?\d\d?)$Matches: 192.168.1.1, 10.0.0.255, 255.255.255.0
6. Strong Password
Enforces minimum 8 characters with at least one uppercase letter, one lowercase letter, one digit, and one special character. Use this alongside a dedicated password generator for creating secure passwords.
^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$Matches: P@ssw0rd!, Str0ng&Safe
7. Hex Color Code
Matches 3-digit and 6-digit hex color codes with the leading hash. Useful when building design tools or parsing CSS — try our color palette generator to work with hex colors interactively.
^#([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$Matches: #FF6B6B, #fff, #4ECDC4
8. HTML Tag
Matches opening and self-closing HTML tags. Note: regex is not suitable for full HTML parsing (use a proper DOM parser), but this works for simple extraction tasks.
<([a-z][a-z0-9]*)\b[^>]*\/?>|<\/([a-z][a-z0-9]*)>Matches: <div>, <img src="..." />, </span>
9. File Extension
Extracts or validates file extensions. Customize the allowed extensions by modifying the alternation group.
^.+\.(jpg|jpeg|png|gif|svg|webp|pdf|doc|docx)$Matches: photo.jpg, document.pdf, image.webp
10. Credit Card Number (Basic)
Basic pattern for common credit card formats. Always use additional server-side validation (Luhn algorithm) for actual payment processing.
^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|3[47][0-9]{13}|6(?:011|5[0-9]{2})[0-9]{12})$Covers: Visa (4...), Mastercard (51-55...), Amex (34/37...), Discover (6011/65...)
Regex Flags
Flags modify how the regex engine processes the pattern. They are appended after the closing delimiter (e.g., /pattern/gi).
g - Global
Find all matches in the string, not just the first one. Essential for search-and-replace operations and counting occurrences.
i - Case Insensitive
Match uppercase and lowercase letters interchangeably. /hello/i matches "Hello", "HELLO", and "hElLo".
m - Multiline
Makes ^ and $ match the start and end of each line rather than the entire string. Critical when processing multi-line text.
s - Dotall
Makes . match any character including newline (\n). Without this flag, . stops at line breaks.
Common Regex Mistakes
Even experienced developers fall into these traps. Knowing them in advance saves significant debugging time.
Catastrophic Backtracking
Nested quantifiers like (a+)+ can cause exponential processing time on non-matching inputs. This is a real security vulnerability known as ReDoS (Regular Expression Denial of Service). Always test your patterns with long non-matching strings.
Forgetting to Escape Special Characters
Characters like ., *, +, ?, (, ), [, and { have special meaning. To match them literally, escape with a backslash: \. matches an actual period.
Greedy vs Lazy Matching
The pattern <.*> on input <a>text</a> matches the entire string, not just <a>. Use <.*?> for lazy matching.
Not Anchoring the Pattern
Without ^ and $, a pattern can match anywhere in the string. /\d3/ matches "abc123def" because it finds 3 digits within the string. Use /^\d3$/ to require the entire string to be exactly 3 digits.
Using Regex for Everything
Regex is powerful but not always the right tool. Do not use regex to parse HTML, XML, or JSON. Use dedicated parsers for structured formats. For JSON validation, use JSON.parse() or our JSON formatter instead.
Start Testing Regex Patterns
Regular expressions become second nature with practice. Bookmark this cheat sheet for quick reference, and use a live testing tool to build and debug your patterns interactively. The patterns in this guide cover the vast majority of validation tasks you will encounter in web development.
For more developer tools, check out our JSON formatter, Base64 encoder/decoder, and secure password generator.
Try the Regex Tester
Build, test, and debug regular expressions in real time with match highlighting and pattern explanations.
Open Regex TesterFrequently Asked Questions
What does the regex flag 'g' mean?
The 'g' flag stands for 'global' and tells the regex engine to find all matches in the string rather than stopping after the first match. Without the g flag, methods like String.match() return only the first match.
How do I match an email address with regex?
A practical email regex pattern is /^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/. This matches most valid email formats with a local part, @ symbol, domain, and TLD. For production use, combine regex validation with an email verification service.
What is the difference between * and + in regex?
The * quantifier matches zero or more occurrences of the preceding element, while + matches one or more. For example, /a*/ matches an empty string, but /a+/ requires at least one 'a'. Use * when the element is optional, and + when at least one occurrence is required.
How do I test regex patterns online?
You can test regex patterns using online tools like the Chroma Creator Regex Tester at chromacreator.com/regex-tester. These tools provide real-time matching, highlighting, and explanations of your patterns against test strings.
Why is my regex matching too much (greedy matching)?
By default, quantifiers like * and + are greedy — they match as much text as possible. Add a ? after the quantifier to make it lazy (non-greedy). For example, /<.*>/ matches the entire string '<a>text</a>', but /<.*?>/ matches just '<a>' and '</a>' separately.