Regular expressions are one of those tools that feel intimidating until you learn the 10-20 patterns that cover 90% of real-world use cases. Once you have those patterns in your toolkit and know how to test them, regex stops being cryptic and becomes a power tool.
1. Email Address (Basic Validation)
^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$This covers the vast majority of valid emails. It is NOT RFC 5322 compliant (almost nothing is), but it rejects obviously invalid input while accepting real addresses. For production, combine with server-side verification.
2. URL (HTTP/HTTPS)
https?://[\w\-]+(\.[\w\-]+)+[/\w\-.~:?#\[\]@!$&'()*+,;=%]*Matches standard HTTP and HTTPS URLs including paths, query strings, and fragments. Does not match protocol-relative URLs (//example.com) or non-HTTP schemes intentionally.
3. IPv4 Address
^(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)$Validates proper IPv4 addresses with each octet in the 0-255 range. Rejects values like 999.999.999.999 that simpler digit-based patterns would accept.
4. Date (YYYY-MM-DD)
^\d{4}-(0[1-9]|1[0-2])-(0[1-9]|[12]\d|3[01])$Matches ISO 8601 date format. Validates month range (01-12) and day range (01-31) but does not check calendar validity (accepts Feb 31). For calendar validation, parse the date in code after the regex passes.
5. Phone Number (International)
^\+?[1-9]\d{1,14}$Follows the E.164 international format: optional plus sign, 1-15 digits, no spaces or dashes. Strict but globally compatible. For display formatting, apply locale-specific patterns after validation.
6. Hex Color Code
^#([0-9A-Fa-f]{6}|[0-9A-Fa-f]{3})$Matches both 6-digit (#FF5733) and 3-digit shorthand (#F53) hex color codes. Case-insensitive by the character class definition.
7. Strong Password
^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$Requires at least 8 characters with one lowercase, one uppercase, one digit, and one special character. Uses lookaheads so the order of character types does not matter.
Password strength is better measured by entropy (length + character pool) than by complexity rules. A 20-character passphrase with no special characters is stronger than an 8-character string with forced complexity. Use regex for basic enforcement, not as a security guarantee.
How to Test Regex Patterns Effectively
- Start with known-good inputs — Test strings that should match to confirm the pattern works.
- Test boundary cases — Empty strings, single characters, maximum length inputs.
- Test known-bad inputs — Strings that look similar but should not match (email without @, IP with 999 octets).
- Test special characters — Inputs with characters that have regex meaning (dots, brackets, slashes).
- Use a live regex tester — Client-side tools with real-time highlighting show exactly what matches and what doesn't as you type.
The most common regex mistake is not testing edge cases. A pattern that works for your 5 test strings can fail spectacularly on the 6th. Spend 2 minutes testing boundary cases and you will avoid hours of debugging in production.