Regular expressions are one of those tools that feel overwhelming at first, but once you understand them, they become indispensable. A single regex pattern can replace dozens of lines of conditional string-parsing code. The challenge is that regex syntax looks like someone fell asleep on a keyboard — and writing patterns from scratch for every new use case is slow and error-prone. That is why having a set of battle-tested, ready-to-use patterns is so valuable.
In this article, we cover ten of the most commonly needed regex patterns in web development, explain exactly how each one works, and show you how to test them using our free Regex Tester.
1. Email Address Validation
Pattern: [a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}
This is one of the most frequently needed patterns in web development — virtually every sign-up form needs to validate email addresses. This pattern matches the standard email format: one or more valid characters before the @ symbol, a domain name, and a top-level domain of at least two characters. It correctly handles emails like user@example.com, user.name+tag@example.co.uk, and user123@sub.domain.org. Note that no regex can fully validate an email address — the only true validation is sending a confirmation email — but this pattern is robust enough for the overwhelming majority of real-world email addresses.
2. URL Matching
Pattern: https?:\/\/(www\.)?[-a-zA-Z0-9@:%._+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9@:%_+.~#?&/=]*)
This pattern matches both http and https URLs (the ? after the s makes it optional), an optional www prefix, a domain name, and an optional path, query string, and fragment. It is useful for extracting URLs from bodies of text, validating URL inputs in forms, and detecting links in user-submitted content.
3. Strong Password Validation
Pattern: (?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}
This pattern uses lookaheads to enforce that a password contains at least one lowercase letter, one uppercase letter, one digit, one special character from the set @$!%*?&, and is at least 8 characters long. Lookaheads (the (?=…) parts) are zero-width assertions — they check for a condition without consuming any characters in the string. This pattern is suitable for most standard password policy requirements and can be extended by adding more lookaheads.
4. US Phone Number
Pattern: (\+1[\s.-]?)?\(?\d{3}\)?[\s.-]?\d{3}[\s.-]?\d{4}
Phone number formatting varies enormously — (555) 123-4567, 555.123.4567, 555-123-4567, and +1 555 123 4567 are all valid representations of the same number. This pattern handles all common US phone number formats. The [\s.-]? parts allow any separator (space, dot, or hyphen) or no separator at all between number groups.
5. Hex Color Code
Pattern: #([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})
This pattern matches both full 6-digit hex color codes (#2563EB) and shorthand 3-digit codes (#fff). It is useful when parsing CSS, validating color input fields, or extracting color values from design files. The alternation (|) between the two length options ensures both formats are matched correctly.
6. IPv4 Address
Pattern: \b((25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(25[0-5]|2[0-4]\d|[01]?\d\d?)\b
This pattern matches valid IPv4 addresses (0.0.0.0 through 255.255.255.255) and correctly rejects invalid ones like 999.1.2.3. The nested alternation handles the three ranges of valid octet values: 250–255, 200–249, and 0–199. The \b word boundaries ensure partial IP-like strings embedded in longer numbers are not matched.
7. ISO Date (YYYY-MM-DD)
Pattern: \d{4}-(0[1-9]|1[0-2])-(0[1-9]|[12]\d|3[01])
This pattern matches dates in the ISO 8601 format used in databases, APIs, and international standards. It correctly validates that month values fall between 01 and 12, and day values between 01 and 31. Note that it does not validate the number of days per month (e.g. it would accept 2024-02-31), so combine it with a Date parsing check for strict validation.
8. URL Slug Validation
Pattern: ^[a-z0-9]+(?:-[a-z0-9]+)*$
URL slugs should contain only lowercase letters, numbers, and hyphens — no spaces, no uppercase, no special characters. This pattern ensures a slug starts and ends with a letter or number, and allows single hyphens between words. It is useful when building CMS platforms, blog engines, or any system where user input becomes part of a URL.
9. Credit Card Number (Basic)
Pattern: ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|6(?:011|5[0-9]{2})[0-9]{12})$
This pattern validates the four major card networks: Visa (starts with 4), Mastercard (starts with 51–55), American Express (starts with 34 or 37), Diners Club (starts with 30, 36, or 38), and Discover (starts with 6011 or 65). Always use server-side validation and a payment processor’s own validation alongside this pattern — never rely solely on client-side regex for payment processing.
10. HTML Tag Stripping
Pattern: <[^>]+>
This simple pattern matches any HTML tag — opening, closing, or self-closing. It is commonly used to strip HTML from user-submitted content before displaying it as plain text or storing it in a database. Replace all matches with an empty string to get clean plain text. Important note: this pattern should not be used as a security measure against XSS — always use a proper HTML sanitisation library for security-critical contexts.
Ready to test these patterns against your own strings? Use our free Regex Tester — paste any of the patterns above into the pattern field, enter your test string, and see matches highlighted in real time with no signup required.