Regex Cheat Sheet: Complete Reference Guide (2026)

What Are Regular Expressions?

Regular expressions (regex or regexp) are sequences of characters that define search patterns. They are used in virtually every programming language for string searching, matching, validation, and text extraction. A 2019 empirical study published at ESEC/FSE found that 94% of developers re-use regex patterns, with 50% reusing them at least half the time — yet they remain one of the most frequently misunderstood tools in the craft.

This cheat sheet is a complete reference you can bookmark and return to. It covers metacharacters, quantifiers, groups, lookarounds, flags, and production-ready validation patterns. To test any pattern interactively, use our Regex Tester tool.

Basic Metacharacters

Metacharacters are the building blocks of regular expressions. Each has a special meaning beyond its literal character value.

Character Classes

Character classes match any one character from a specific set. They are defined using square brackets and support ranges, negation, and shorthand notations.

Quantifiers: Greedy vs. Lazy

Quantifiers specify how many times a preceding element must occur. The most critical distinction — one that bites developers constantly — is greedy vs. lazy matching.

// Input: "<a>text</a><b>more</b>"
// Greedy: matches the ENTIRE string from first < to last >
/<.*>/g   // → ["<a>text</a><b>more</b>"]

// Lazy: matches each tag individually
/<.*?>/g  // → ["<a>", "</a>", "<b>", "</b>"]

The greedy-vs-lazy distinction matters most when parsing delimited content like HTML tags, quoted strings, or anything with a repeated open/close pattern.

Groups and Backreferences

Groups let you treat multiple characters as a single unit, apply quantifiers to complex patterns, and capture matched text for extraction or replacement. Named groups — supported in all modern engines — make patterns substantially more readable.

// Named groups make complex patterns self-documenting
const dateRegex = /(?<year>\d{4})-(?<month>\d{2})-(?<day>\d{2})/;
const match = "2026-03-14".match(dateRegex);
console.log(match.groups.year);  // "2026"
console.log(match.groups.month); // "03"
console.log(match.groups.day);   // "14"

// Backreference: detect duplicate consecutive words
const dupeWords = /\b(\w+)\s+\1\b/gi;
"the the quick brown fox".match(dupeWords); // ["the the"]

// Non-capturing group for grouping without storing
/(?:https?|ftp):\/\//.test("https://example.com"); // true

Anchors and Boundaries

// Word boundary: match "cat" but not "concatenate"
/\bcat\b/.test("the cat sat");     // true
/\bcat\b/.test("concatenate");     // false

// Multiline anchors: ^ and $ match each line
const multiline = /^Error: .+$/gm;
const log = "OK: all good\nError: disk full\nOK: recovered";
log.match(multiline); // ["Error: disk full"]

Lookaheads and Lookbehinds

Lookarounds are zero-width assertions — they check context without consuming characters. They are essential for matching patterns that depend on surrounding context without including that context in the result.

// Extract number before "px" (lookahead)
/\d+(?=px)/.exec("font-size: 16px"); // ["16"]

// Password strength: at least 1 uppercase, 1 digit, 8+ chars
/^(?=.*[A-Z])(?=.*\d).{8,}$/.test("Secret1!");  // true
/^(?=.*[A-Z])(?=.*\d).{8,}$/.test("password1"); // false

// Extract price after "$" (lookbehind)
/(?<=\$)[\d.]+/.exec("Total: $99.99"); // ["99.99"]

// Match "foo" NOT followed by "bar"
/foo(?!bar)/.test("foobar");  // false
/foo(?!bar)/.test("foobaz");  // true

Regex Flags Quick Reference

Gotcha with the g flag: When you use .test() or .exec() with the g flag, the regex object is stateful — it remembers its lastIndex position. Calling .test() on the same compiled regex multiple times will produce alternating true/false results unless you reset lastIndex = 0 between calls.

Production-Ready Validation Patterns

These are battle-tested patterns for common validation tasks. The empirical study on regex bugs (Mining Software Repositories 2020, 356 bugs across 195 GitHub repositories) found that 46.3% of regex bugs are caused by incorrect semantics — so test each pattern against edge cases, including empty strings, unicode, and malformed inputs.

Email Validation

// RFC 5322-compliant (simplified — true RFC 5322 is ~6KB of regex)
const emailRegex = /^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/;

// Test cases:
emailRegex.test("[email protected]");      // ✓
emailRegex.test("[email protected]"); // ✓
emailRegex.test("[email protected]");             // ✗
emailRegex.test("@example.com");          // ✗

// Note: Always send a verification email for definitive validation.
// No regex catches all valid/invalid emails per RFC 5321.

URL Validation

// Strict HTTPS URL
const httpsUrl = /^https:\/\/([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,}(\/[^\s]*)?$/;

// Permissive URL (http or https, optional path)
const anyUrl = /^(https?:\/\/)?([\w-]+\.)+[\w-]+(\/[\w\-./?%&=]*)?$/;

httpsUrl.test("https://bytepane.com/regex-tester/"); // ✓
httpsUrl.test("http://example.com");                  // ✗ (requires https)

US Phone Number

const usPhone = /^(\+1[\s-]?)?\(?\d{3}\)?[\s.-]?\d{3}[\s.-]?\d{4}$/;

// All match:
usPhone.test("+1-555-123-4567"); // ✓
usPhone.test("(555) 123-4567");  // ✓
usPhone.test("5551234567");      // ✓
usPhone.test("555.123.4567");    // ✓

Strong Password

// Min 8 chars, 1 uppercase, 1 lowercase, 1 digit, 1 special char
const strongPwd = /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$/;

strongPwd.test("Secret1!");  // ✓
strongPwd.test("password1"); // ✗ (no uppercase, no special)
strongPwd.test("P@ss1");     // ✗ (too short)

IPv4 Address

// Strict 0-255 range validation
const ipv4 = /^((25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(25[0-5]|2[0-4]\d|[01]?\d\d?)$/;

ipv4.test("192.168.1.1");     // ✓
ipv4.test("255.255.255.255"); // ✓
ipv4.test("256.1.1.1");       // ✗ (256 > 255)
ipv4.test("192.168.1");       // ✗ (only 3 octets)

ISO Date (YYYY-MM-DD)

// Validates format and plausible ranges (not calendar validity)
const isoDate = /^\d{4}-(0[1-9]|1[0-2])-(0[1-9]|[12]\d|3[01])$/;

isoDate.test("2026-03-14"); // ✓
isoDate.test("2026-13-01"); // ✗ (month 13 invalid)
isoDate.test("2026-00-15"); // ✗ (month 00 invalid)
// Note: does not catch Feb 31 — use Date.parse() for calendar validation

Hex Color Code

// 3, 4, 6, or 8 digit hex (with optional alpha channel)
const hexColor = /^#([0-9A-Fa-f]{3,4}|[0-9A-Fa-f]{6}|[0-9A-Fa-f]{8})$/;

hexColor.test("#fff");       // ✓ (3-digit)
hexColor.test("#FF5733");    // ✓ (6-digit)
hexColor.test("#FF573380");  // ✓ (8-digit with alpha)
hexColor.test("#GGGGGG");    // ✗ (G is not hex)

Convert hex colors to RGB or HSL directly in our Color Converter tool.

Regex by Language: API Quick Reference

JavaScript

// Literal and constructor syntax
const re1 = /pattern/gi;
const re2 = new RegExp("pattern", "gi");  // for dynamic patterns

// Key methods
"hello world".match(/\w+/g);             // ["hello", "world"]
"hello".replace(/l/g, "r");              // "herro"
"hello".replaceAll("l", "r");            // ES2021 string method
/^test/.test("test string");              // true
"a1b2c3".matchAll(/[a-z](\d)/g);        // ES2020 iterator

// Destructuring named groups (ES2018+)
const { groups: { year, month } } = "2026-03".match(
  /(?<year>\d{4})-(?<month>\d{2})/
);

Python

import re

# Compile once for repeated use (significant performance gain)
pattern = re.compile(r"[A-Z][a-z]+", re.MULTILINE)

re.search(r"\d+", "abc 123")            # Match object
re.findall(r"\d+", "a1 b2 c3")          # ["1", "2", "3"]
re.findall(r"(\w+)=(\w+)", "k=v")      # [("k", "v")]
re.sub(r"\d", "X", "a1b2c3")           # "aXbXcX"
re.split(r"[,;\s]+", "a, b; c d")      # ["a", "b", "c", "d"]

# Named groups
m = re.search(r"(?P<year>\d{4})-(?P<month>\d{2})", "2026-03")
m.group("year")   # "2026"
m.group("month")  # "03"

Go

import "regexp"

// Go uses RE2 syntax (no lookaheads, no backreferences)
// All Go regex operations are guaranteed O(n) — immune to ReDoS
re := regexp.MustCompile("\\d{4}-\\d{2}-\\d{2}")

re.MatchString("2026-03-14")        // true
re.FindString("Date: 2026-03-14")   // "2026-03-14"
re.FindAllString("a1 b2 c3", -1)    // ["1", "2", "3"]
re.ReplaceAllString("a1b2", "\d", "X") // "aXbX"

// Named groups
re2 := regexp.MustCompile("(?P<year>\\d{4})-(?P<month>\\d{2})")
match := re2.FindStringSubmatch("2026-03")
year := match[re2.SubexpIndex("year")] // "2026"

Go's regexp package uses the RE2 engine, which guarantees linear-time execution on all inputs — making it immune to ReDoS by design. The trade-off: no lookaheads or backreferences. For log parsing and data pipelines, Go's regex is often the right choice precisely because of this safety guarantee.

Performance & Security: Avoiding ReDoS

ReDoS (Regular Expression Denial of Service) is a real threat. OWASP research shows that approximately 20% of regex patterns in production applications are vulnerable — and a single malicious input can pin a thread at 100% CPU for seconds or minutes. The Rust Leipzig benchmark project (which compares PCRE, RE2, Rust regex, Hyperscan, and others) found that Hyperscan is the fastest engine, with the Rust regex crate and PCRE2-JIT tied for second — both using linear-time algorithms that prevent catastrophic backtracking.

1. Avoid nested quantifiers — patterns like (a+)+ cause exponential backtracking on pathological inputs.
2. Be specific with character classes — use [a-z] instead of . when you know the expected character set.
3. Anchor your patterns — ^ and $ prevent unnecessary scanning of the full string.
4. Compile once, reuse often — compile regex outside of loops. In Python, use re.compile(); in Go, regexp.MustCompile() at package level.
5. Set execution timeouts — in server-side code that accepts user-supplied regex or text, wrap regex execution with a timeout.
6. Use RE2-based engines for user input — Go's regexp and Google's RE2 library guarantee linear-time execution with no backtracking.

For regex validation and debugging on the fly, use our Regex Tester. For string analysis after processing, the Word Counter gives you character and word statistics instantly.

Frequently Asked Questions

Related Articles