Regex Library
Regex Library

41 patterns

Security Patterns Regex Patterns

Security-focused regex patterns help validate and sanitize user input. From password strength enforcement to detecting common injection patterns, these expressions are a first line of defense in your validation layer.

Common Use Cases

Password strength validationJWT authenticationInput sanitizationInjection detection

All Security Patterns Patterns

Ultra-Secure Password

Minimum 12 characters, must include uppercase, lowercase, number, and special character.

^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&_#\-])[A-Za-z\d@$!%*?&_#\-]{12,}$

SQL Injection Detection

Detects suspicious SQL injection patterns.

('|(\-\-)|(;)|(\|\|)|(\*)|(<)|(>)|(\^)|(\[)|(\])|(\{)|(\})|(%)|(\$)|(\bOR\b)|(\bAND\b))

Basic XSS Detection

Detects common XSS patterns.

<script[^>]*>.*?<\/script>|javascript:|onerror=|onload=

Credit Card Masking

Captures groups to mask cards (XXXX-XXXX-XXXX-1234).

^(\d{4})[\s-]?(\d{4})[\s-]?(\d{4})[\s-]?(\d{4})$

Strip HTML Tags

Removes all HTML tags.

<[^>]+>

Hexadecimal API Key

MD5 (32) or SHA1 (40) API keys in hexadecimal.

^([A-Fa-f0-9]{32}|[A-Fa-f0-9]{40})$

BCrypt Hash

Validates BCrypt password hashes.

^\$2[aby]?\$\d{1,2}\$[.\/A-Za-z0-9]{53}$

Stripe API Key

Validates Stripe publishable or secret API keys

^(sk|pk)_(test|live)_[a-zA-Z0-9]{24,}$

JWT Token

Validates the structure of a JSON Web Token (three Base64URL parts separated by dots).

^[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]*$

Strong Password

At least 12 characters with lowercase, uppercase, digit, and special character.

^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]).{12,}$

TOTP / OTP Code

Validates 6-digit one-time passwords (TOTP, Google Authenticator, SMS OTP).

^\d{6}$

Generic Alphanumeric API Key

Validates generic alphanumeric API keys (32 to 64 characters).

^[A-Za-z0-9]{32,64}$

Numeric PIN Code

Validates numeric PIN codes (4 to 8 digits).

^\d{4,8}$

Strong Passphrase

Validates passphrases: 20+ chars with at least one uppercase, digit, and special char.

^(?=.*[A-Z])(?=.*[0-9])(?=.*[^a-zA-Z0-9 ]).{20,}$

GitHub Personal Access Token

Detects classic GitHub personal access tokens (ghp_ prefix). Use to scan logs/commits for leaked secrets.

^ghp_[A-Za-z0-9]{36}$

GitHub Fine-grained Token

Matches modern fine-grained GitHub PATs. Useful for secret-scanning pipelines.

^github_pat_[A-Za-z0-9_]{82}$

AWS Access Key ID

Matches AWS access key IDs (AKIA prefix for long-term, ASIA for STS). Critical for leaked-credentials detection.

(?<![A-Z0-9])(AKIA|ASIA)[0-9A-Z]{16}(?![A-Z0-9])

Bearer Authorization Header

Validates a complete Authorization HTTP header in Bearer scheme.

^Bearer\s+[A-Za-z0-9._~+/=-]+$

MD5 Hash

Matches a 32-character lowercase hexadecimal MD5 hash digest.

^[a-f0-9]{32}$

SHA-1 Hash

Matches a 40-character lowercase hexadecimal SHA-1 hash digest.

^[a-f0-9]{40}$

SHA-256 Hash

Matches a 64-character lowercase hexadecimal SHA-256 hash digest.

^[a-f0-9]{64}$

OpenAI API Key

Detects OpenAI API keys, including legacy (sk-...) and project-scoped (sk-proj-...) tokens.

^sk-(?:proj-)?[A-Za-z0-9_-]{20,}$

Anthropic API Key

Detects Anthropic Claude API keys (sk-ant- prefix).

^sk-ant-[A-Za-z0-9_-]{32,}$

Slack Bot Token

Matches Slack tokens (bot, user, app, refresh, scoped).

^xox[abprs]-[A-Za-z0-9-]{10,}$

SHA-512 Hash

Matches a 128-character lowercase hexadecimal SHA-512 hash digest.

^[a-f0-9]{128}$

SHA-384 Hash

Matches a 96-character lowercase hexadecimal SHA-384 hash digest.

^[a-f0-9]{96}$

PGP / GPG Key Fingerprint

Matches a 40-character hexadecimal PGP/GPG key fingerprint with optional 4-char grouping.

^[A-Fa-f0-9]{4}(?:\s?[A-Fa-f0-9]{4}){9}$

SSH Public Key

Matches an OpenSSH public key in the format: type base64 [comment].

^ssh-(?:rsa|ed25519|dss|ecdsa-sha2-nistp(?:256|384|521))\s+[A-Za-z0-9+/]+=*(?:\s+\S+)?$

Stripe Webhook Secret

Detects a Stripe webhook signing secret (whsec_). Useful for leak-detection and secret scanning.

^whsec_[A-Za-z0-9]{32,}$

Stripe Publishable Key

Matches a Stripe publishable key (pk_live_ or pk_test_).

^pk_(?:live|test)_[A-Za-z0-9]{24,}$

Stripe Secret Key

Matches a Stripe secret API key (sk_live_ or sk_test_). Use for secret scanning in commits.

^sk_(?:live|test)_[A-Za-z0-9]{24,}$

Twilio Account SID

Validates a Twilio Account SID (starts with AC + 32 hex characters).

^AC[a-f0-9]{32}$

Twilio Auth Token

Matches a Twilio API Key SID (SK + 32 hex). Often confused with the secret — pair with API Key Secret in your vault.

^SK[a-f0-9]{32}$

Google / GCP API Key (AIza...)

Detects a Google Cloud / Firebase / Maps API key (AIza + 35 chars). Common secret-scanning rule.

^AIza[0-9A-Za-z_-]{35}$

Azure Storage Connection String

Detects an Azure Blob Storage connection string. Use for secret scanning to prevent leaks.

^DefaultEndpointsProtocol=https?;AccountName=[a-z0-9]{3,24};AccountKey=[A-Za-z0-9+/=]{60,};EndpointSuffix=core\.windows\.net$

Argon2 Hash

Validates an Argon2 password hash (PHC string format, supports argon2id/i/d variants).

^\$argon2(?:id|i|d)\$v=\d+\$m=\d+,t=\d+,p=\d+\$[A-Za-z0-9+/=]+\$[A-Za-z0-9+/=]+$

SHA3-256 / Keccak-256 Hash

Matches a 64-character hex digest (SHA-256, SHA3-256, or Keccak-256 — same length).

^[A-Fa-f0-9]{64}$

PEM Block (Certificate / Key)

Extracts a PEM-encoded block (certificate, public key, private key, CSR). Captures the type and base64 body.

-----BEGIN ([A-Z][A-Z0-9 ]+)-----\r?\n([A-Za-z0-9+/=\r\n]+)\r?\n-----END \1-----

JWK Key ID (kid)

Validates a JSON Web Key ID (kid) — URL-safe base64 fragment, 8-128 chars.

^[A-Za-z0-9_-]{8,128}$

OpenAI Organization ID

Matches an OpenAI organization ID (org- + 24 alphanumeric chars).

^org-[A-Za-z0-9]{24}$

Discord Bot Token

Detects a Discord bot token (3 base64url parts separated by dots). Use for secret scanning.

^[MN][A-Za-z0-9_-]{23,25}\.[A-Za-z0-9_-]{6}\.[A-Za-z0-9_-]{27,38}$

Frequently Asked Questions

Can regex fully prevent SQL injection?

No. Always use parameterized queries or prepared statements. Regex can catch obvious attempts but is not a substitute for proper escaping.

What makes a strong password regex?

Require: minimum 12 chars, at least one uppercase, lowercase, digit, and special character. Use lookaheads: (?=.*[A-Z])(?=.*[a-z])(?=.*\d)(?=.*[!@#$%]).

How do I validate a JWT token format?

Use the JWT Token pattern: ^[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]*$ - it checks the 3-part Base64URL structure.

Looking for patterns in other categories?

Browse all 300 patterns