Regex Cheatsheet for Developers 2026
Every regex pattern you actually need, organized by use case. Copy, test, and use.
Regex documentation tends to be either a 200-page reference or a one-page table of metacharacters with no context. Neither helps when you need to validate an email address at 4 PM on a Friday.
This cheatsheet is organized by what you are trying to do, not by regex syntax. Each pattern is tested and ready to copy. Try any of them in the Regex Tester.
Basics
. matches any character except newline. \d matches a digit (0–9). \w matches a word character (letter, digit, underscore). \s matches whitespace (space, tab, newline). Capitalize any of these to negate: \D matches non-digit, \W matches non-word, \S matches non-whitespace.
* means zero or more. + means one or more. ? means zero or one. {3} means exactly 3. {2,5} means 2 to 5. {3,} means 3 or more.
^ anchors to the start of a line. $ anchors to the end. \b marks a word boundary.
Validation patterns
Email (practical):
^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$This covers the vast majority of real email addresses. It is not RFC 5322 compliant (almost nothing is), but it rejects obvious garbage and accepts everything your users will actually type.
URL:
^https?:\/\/(www\.)?[-a-zA-Z0-9@:%._+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_+.~#?&/=]*)$IPv4 address:
^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$Phone (international, E.164):
^\+?[1-9]\d{1,14}$For display formatting, handle that separately after validation.
Date (YYYY-MM-DD):
^\d{4}-(0[1-9]|1[0-2])-(0[1-9]|[12]\d|3[01])$Time (HH:MM:SS):
^([01]\d|2[0-3]):([0-5]\d):([0-5]\d)$Hex color:
^#([0-9a-fA-F]{3}|[0-9a-fA-F]{6})$UUID v4:
^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$Password validation
Minimum 8 characters, at least one letter and one number:
^(?=.*[A-Za-z])(?=.*\d)[A-Za-z\d]{8,}$Minimum 8 characters, uppercase, lowercase, number, special character:
^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$If you want to generate secure passwords instead of validating weak ones, the Password Generator handles that without any regex needed.
Text extraction
All emails in a block of text:
[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}All URLs:
https?:\/\/[^\s<>"{}|\\^\[\]]+All hashtags: #[a-zA-Z0-9_]+
All @mentions: @[a-zA-Z0-9_]+
Numbers (including decimals and negatives): -?\d+\.?\d*
Quoted strings: "[^"]*"|'[^']*'
HTML tags: <[^>]+>
Content between HTML tags: <(\w+)[^>]*>(.*?)<\/\1>
Search and replace
Remove HTML tags: Find <[^>]+>, replace with empty string.
Trim whitespace: Find ^\s+|\s+$ with the multiline flag.
Collapse multiple spaces: Find \s{2,}, replace with a single space.
Remove empty lines: Find ^\s*\n with the multiline flag, replace with empty string.
For case conversion and duplicate removal, the Text Case Converter and Duplicate Line Remover handle these without writing any regex.
Flags
g (global) matches all occurrences, not just the first. i (case-insensitive) ignores upper/lowercase. m (multiline) makes ^ and $ match line boundaries. s (dotAll) makes . match newlines too. u (unicode) enables full Unicode support.
Lookahead and lookbehind
Positive lookahead X(?=Y) — matches X only if followed by Y.
Negative lookahead X(?!Y) — matches X only if NOT followed by Y.
Positive lookbehind (?<=Y)X — matches X only if preceded by Y.
Negative lookbehind (?<!Y)X — matches X only if NOT preceded by Y.
Example: match a number only if followed by "px": \d+(?=px)
Common mistakes
Forgetting to escape dots. . matches any character. To match a literal dot, use \.
Greedy vs lazy. .* is greedy (matches as much as possible). .*? is lazy (matches as little as possible). When extracting content between delimiters, you almost always want lazy.
Catastrophic backtracking. Patterns like (a+)+$ can freeze a browser on certain inputs. The Regex Tester runs patterns in a Web Worker with a 2-second timeout to prevent this from locking up your tab.