User-defined regex unlocks advanced search features but also introduces denial-of-service risk and unpredictable complexity. Treat custom patterns as untrusted code.

Constrain Engine Features

Disable advanced constructs where possible (for example recursion or catastrophic patterns in unsafe engines) and prefer linear-time engines when available.

Apply Input and Pattern Limits

Cap pattern length, input size, and execution time. Hard limits reduce blast radius from both malicious and accidental heavy queries.

Run in Isolated Workers

Evaluate user regex in worker threads or separate processes so timeouts do not block request threads.

Audit and Rate Limit

Log pattern hashes and enforce per-user quotas. Abuse patterns usually become visible as repeat offenders in logs.