21 patterns
Security Patterns Regex Patterns
Security-focused regex patterns help validate and sanitize user input. From password strength enforcement to detecting common injection patterns, these expressions are a first line of defense in your validation layer.
Common Use Cases
All Security Patterns Patterns
Ultra-Secure Password
Minimum 12 characters, must include uppercase, lowercase, number, and special character.
^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{12,}$SQL Injection Detection
Detects suspicious SQL injection patterns.
('|(\-\-)|(;)|(\|\|)|(\*)|(<)|(>)|(\^)|(\[)|(\])|(\{)|(\})|(%)|(\$)|(\bOR\b)|(\bAND\b))Basic XSS Detection
Detects common XSS patterns.
<script[^>]*>.*?<\/script>|javascript:|onerror=|onload=Credit Card Masking
Captures groups to mask cards (XXXX-XXXX-XXXX-1234).
^(\d{4})[\s-]?(\d{4})[\s-]?(\d{4})[\s-]?(\d{4})$Strip HTML Tags
Removes all HTML tags.
<[^>]+>Hexadecimal API Key
MD5 (32) or SHA1 (40) API keys in hexadecimal.
^[A-Fa-f0-9]{32}|[A-Fa-f0-9]{40}$BCrypt Hash
Validates BCrypt password hashes.
^\$2[aby]?\$\d{1,2}\$[.\/A-Za-z0-9]{53}$Stripe API Key
Validates Stripe publishable or secret API keys
^(sk|pk)_(test|live)_[a-zA-Z0-9]{24,}$JWT Token
Validates the structure of a JSON Web Token (three Base64URL parts separated by dots).
^[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]*$Strong Password
At least 12 characters with lowercase, uppercase, digit, and special character.
^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]).{12,}$TOTP / OTP Code
Validates 6-digit one-time passwords (TOTP, Google Authenticator, SMS OTP).
^\d{6}$Generic Alphanumeric API Key
Validates generic alphanumeric API keys (32 to 64 characters).
^[A-Za-z0-9]{32,64}$Numeric PIN Code
Validates numeric PIN codes (4 to 8 digits).
^\d{4,8}$Strong Passphrase
Validates passphrases: 20+ chars with at least one uppercase, digit, and special char.
^(?=.*[A-Z])(?=.*[0-9])(?=.*[^a-zA-Z0-9 ]).{20,}$GitHub Personal Access Token
Detects classic GitHub personal access tokens (ghp_ prefix). Use to scan logs/commits for leaked secrets.
^ghp_[A-Za-z0-9]{36}$GitHub Fine-grained Token
Matches modern fine-grained GitHub PATs. Useful for secret-scanning pipelines.
^github_pat_[A-Za-z0-9_]{82}$AWS Access Key ID
Matches AWS access key IDs (AKIA prefix for long-term, ASIA for STS). Critical for leaked-credentials detection.
(?<![A-Z0-9])(AKIA|ASIA)[0-9A-Z]{16}(?![A-Z0-9])Bearer Authorization Header
Validates a complete Authorization HTTP header in Bearer scheme.
^Bearer\s+[A-Za-z0-9._~+/=-]+$MD5 Hash
Matches a 32-character lowercase hexadecimal MD5 hash digest.
^[a-f0-9]{32}$SHA-1 Hash
Matches a 40-character lowercase hexadecimal SHA-1 hash digest.
^[a-f0-9]{40}$SHA-256 Hash
Matches a 64-character lowercase hexadecimal SHA-256 hash digest.
^[a-f0-9]{64}$Frequently Asked Questions
Can regex fully prevent SQL injection?
No. Always use parameterized queries or prepared statements. Regex can catch obvious attempts but is not a substitute for proper escaping.
What makes a strong password regex?
Require: minimum 12 chars, at least one uppercase, lowercase, digit, and special character. Use lookaheads: (?=.*[A-Z])(?=.*[a-z])(?=.*\d)(?=.*[!@#$%]).
How do I validate a JWT token format?
Use the JWT Token pattern: ^[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]*$ - it checks the 3-part Base64URL structure.
Looking for patterns in other categories?
Browse all 209 patterns