tooled
Validationurl regex

URL (HTTP/HTTPS) regex

Practical HTTP/HTTPS URL validator that accepts real URLs and rejects the obvious junk.

Pattern
/^https?:\/\/[^\s/$.?#].[^\s]*$/i
Try it live in the toolkit AI explanation

What it matches

Validating a URL with regex is famously fraught — the RFC 3986 grammar allows things most developers would consider weird (userinfo, percent-encoded paths, dot-segments). This pattern aims at a different target: catching the typos that actually happen in user input. It requires `http://` or `https://`, a host that starts with something non-trivial, and the rest of the URL can be whatever the user types as long as it has no whitespace.

Examples

Matches

  • https://tooled.dev

    Bare HTTPS root URL.

  • http://localhost:3000/path?q=1#hash

    Dev URL with port, path, query, and fragment.

  • https://sub.example.co.uk/path/with/slashes

    Multi-label TLD and deep path.

  • http://192.168.0.1

    IPv4 hosts work without ports or paths.

Does not match

  • tooled.dev

    Missing `http://` or `https://`.

  • ftp://example.com

    We deliberately don't match other protocols.

  • javascript:alert(1)

    Pseudo-URL scheme is rejected — important for XSS prevention.

  • https:// space.com

    Whitespace in the URL.

  • http://.example.com

    Host starts with a dot.

Edge cases & gotchas

  • Accepts URLs without a TLD (`http://intranet/`) — useful for office networks, not always wanted publicly. Tighten by adding `\..+` after the host.
  • Does not URL-decode — `http://example.com/%20space` matches because the literal `%20` has no whitespace.
  • Does not validate the host actually resolves. Use `URL` constructor in JS/TS or `urllib.parse` in Python for parse-don't-validate workflows.
  • Allows trailing punctuation like `https://example.com).` — paste detectors usually strip trailing `).,!?` before matching.

In your language

// JavaScript
const re = new RegExp("^https?:\\/\\/[^\\s/$.?#].[^\\s]*$", "i");
const match = "input".match(re);

All 13 languages (including Bash, Perl, Kotlin, Swift) available in the full toolkit Export tab.

Notes for production

  • If you need to extract URLs from running prose, switch the anchors off and use the `g` flag: `/https?:\/\/[^\s/$.?#].[^\s]*/g`.
  • In JavaScript, the safer modern approach is `new URL(input)` — it throws on invalid URLs and gives you back parsed components.

Frequently asked

Should I use this to validate URLs from users?

For format-checking, yes. For security-sensitive work (open-redirect prevention, CSP construction), use a real URL parser — they understand subtleties like `\` versus `/` in hostnames and the way browsers actually parse weird inputs.

Why doesn't this accept `ftp://` or `mailto:`?

Because the most common ask is 'is this a clickable web link'. Add the protocols you want explicitly — `^(https?|ftp|mailto):\/\/`.

How do I extract every URL from a block of text?

Remove the `^` and `$` anchors and add the `g` flag. The pattern then captures every non-whitespace URL run starting with `http://` or `https://`.

Related patterns

Email address

Practical, permissive email validator that catches typos without rejecting real addresses.

Open

IPv4 address

Strict IPv4 that rejects out-of-range octets like 999.999.999.999.

Open

URL slug (kebab-case)

Lowercase alphanumerics with single hyphens between words — the canonical URL slug shape.

Open
All patternsOpen the AI Regex Toolkit