This complete, single-file solution provides a high-end, professional security workspace. It handles JWT encoding/decoding, JSON validation, and vulnerability simulation entirely in memory using pure JavaScript, CSS, and HTML.

```html
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Free JWT "alg": "none" Vulnerability Tester & Security Tool</title>
    
    <!-- Dependencies -->
    <script src="https://cdn.tailwindcss.com"></script>
    <script src="https://unpkg.com/lucide@latest"></script>
    <link href="https://fonts.googleapis.com/css2?family=Inter:wght@300;400;500;600;700&display=swap" rel="stylesheet">
    
    <style>
        body { font-family: 'Inter', sans-serif; }
        .glass { background: rgba(255, 255, 255, 0.7); backdrop-filter: blur(10px); border: 1px solid rgba(255, 255, 255, 0.3); }
        .gradient-text { background: linear-gradient(135deg, #4f46e5 0%, #7c3aed 100%); -webkit-background-clip: text; -webkit-text-fill-color: transparent; }
        .segment-header { color: #2563eb; }
        .segment-payload { color: #7c3aed; }
        .segment-signature { color: #d97706; }
        textarea { resize: vertical; min-height: 150px; font-family: monospace; }
        .token-segment { word-break: break-all; padding: 4px; border-radius: 4px; }
        .card-shadow { box-shadow: 0 10px 25px -5px rgba(0, 0, 0, 0.1), 0 8px 10px -6px rgba(0, 0, 0, 0.1); }
        .hide-scrollbar::-webkit-scrollbar { display: none; }
    </style>
</head>
<body class="bg-slate-50 text-slate-900 min-h-screen flex flex-col">

    <!-- Header -->
    <header class="p-6 max-w-6xl mx-auto w-full">
        <h1 class="text-3xl font-bold gradient-text">JWT "alg": "none" Vulnerability Tester</h1>
        <p class="text-slate-600 mt-2">A security education tool to simulate and visualize JSON Web Token vulnerabilities.</p>
    </header>

    <!-- Main Workspace -->
    <main class="flex-grow max-w-6xl mx-auto w-full px-4 pb-32">
        <div class="grid grid-cols-1 lg:grid-cols-2 gap-8">
            
            <!-- Left Column: Input/Edit -->
            <div class="space-y-6">
                <!-- Header Card -->
                <div class="bg-white p-6 rounded-2xl card-shadow border border-slate-100">
                    <label class="block text-sm font-semibold text-slate-500 mb-2 uppercase tracking-wider">Header JSON</label>
                    <textarea id="header-input" class="w-full p-4 bg-slate-50 border border-slate-200 rounded-lg focus:ring-2 focus:ring-indigo-500 outline-none transition-all"></textarea>
                    <div id="header-error" class="text-xs text-red-500 mt-2 hidden italic">Invalid JSON format</div>
                </div>

                <!-- Payload Card -->
                <div class="bg-white p-6 rounded-2xl card-shadow border border-slate-100">
                    <label class="block text-sm font-semibold text-slate-500 mb-2 uppercase tracking-wider">Payload JSON</label>
                    <textarea id="payload-input" class="w-full p-4 bg-slate-50 border border-slate-200 rounded-lg focus:ring-2 focus:ring-indigo-500 outline-none transition-all"></textarea>
                    <div id="payload-error" class="text-xs text-red-500 mt-2 hidden italic">Invalid JSON format</div>
                </div>

                <!-- Security Info Panel -->
                <div class="bg-indigo-50 p-6 rounded-2xl border border-indigo-100">
                    <h3 class="flex items-center font-semibold text-indigo-900 mb-2"><i data-lucide="shield-alert" class="w-5 h-5 mr-2"></i> Security Context</h3>
                    <p class="text-sm text-indigo-700 leading-relaxed">
                        The <strong>"alg": "none"</strong> vulnerability occurs when a server accepts tokens without verifying the signature. By setting the algorithm to "none", attackers can bypass signature verification entirely.
                    </p>
                </div>
            </div>

            <!-- Right Column: Visualization -->
            <div class="space-y-6">
                <div class="bg-white p-6 rounded-2xl card-shadow border border-slate-100 sticky top-6">
                    <label class="block text-sm font-semibold text-slate-500 mb-4 uppercase tracking-wider">Live Token Visualization</label>
                    
                    <div id="token-visualizer" class="bg-slate-900 text-white p-6 rounded-xl font-mono text-sm break-all leading-relaxed">
                        <span id="vis-header" class="segment-header"></span>.<span id="vis-payload" class="segment-payload"></span>.<span id="vis-signature" class="segment-signature"></span>
                    </div>

                    <div class="mt-6">
                        <label class="block text-sm font-semibold text-slate-500 mb-2 uppercase tracking-wider">Full Encoded String</label>
                        <div class="bg-slate-100 p-4 rounded-lg border border-slate-200 text-slate-700 font-mono text-sm break-all" id="full-token-text"></div>
                    </div>
                </div>
            </div>
        </div>
    </main>

    <!-- Sticky Action Bar -->
    <div class="fixed bottom-0 left-0 right-0 bg-white/80 backdrop-blur-lg border-t border-slate-200 p-4 shadow-lg">
        <div class="max-w-6xl mx-auto flex flex-wrap items-center justify-between gap-4">
            <div id="status-bar" class="text-sm font-medium text-slate-600 flex items-center">
                <i data-lucide="check-circle-2" class="w-4 h-4 mr-2 text-green-500"></i>
                System Ready
            </div>
            
            <div class="flex gap-3">
                <button onclick="resetApp()" class="px-4 py-2 text-slate-600 hover:text-slate-900 transition-colors">Reset</button>
                <button onclick="applyVulnerability()" class="px-5 py-2 bg-amber-500 hover:bg-amber-600 text-white font-semibold rounded-lg shadow-md transition-all transform hover:-translate-y-0.5">Apply "alg": "none"</button>
                <button onclick="copyToken()" class="px-5 py-2 bg-indigo-600 hover:bg-indigo-700 text-white font-semibold rounded-lg shadow-md transition-all transform hover:-translate-y-0.5 flex items-center">
                    <i data-lucide="copy" class="w-4 h-4 mr-2"></i> Copy
                </button>
            </div>
        </div>
    </div>

    <script>
        // --- State Management ---
        const state = {
            header: { alg: "HS256", typ: "JWT" },
            payload: { sub: "1234567890", name: "John Doe", iat: 1516239022 },
            signature: "signature_placeholder"
        };

        // --- Core Logic Helpers ---
        function base64urlEncode(obj) {
            const str = JSON.stringify(obj);
            return btoa(str)
                .replace(/\+/g, '-')
                .replace(/\//g, '_')
                .replace(/=+$/, '');
        }

        function base64urlDecode(str) {
            try {
                str = str.replace(/-/g, '+').replace(/_/g, '/');
                while (str.length % 4) str += '=';
                return JSON.parse(atob(str));
            } catch (e) {
                return null;
            }
        }

        // --- UI Updates ---
        function updateUI() {
            const headerInput = document.getElementById('header-input');
            const payloadInput = document.getElementById('payload-input');
            const visHeader = document.getElementById('vis-header');
            const visPayload = document.getElementById('vis-payload');
            const visSignature = document.getElementById('vis-signature');
            const fullTokenText = document.getElementById('full-token-text');
            const statusBar = document.getElementById('status-bar');

            // Set inputs
            headerInput.value = JSON.stringify(state.header, null, 2);
            payloadInput.value = JSON.stringify(state.payload, null, 2);

            // Update Visualizer
            const b64H = base64urlEncode(state.header);
            const b64P = base64urlEncode(state.payload);
            const b64S = state.signature || "";

            visHeader.innerText = b64H;
            visPayload.innerText = b64P;
            visSignature.innerText = b64S;
            fullTokenText.innerText = `${b64H}.${b64P}.${b64S}`;
        }

        // --- Events ---
        document.getElementById('header-input').addEventListener('input', (e) => {
            try {
                state.header = JSON.parse(e.target.value);
                document.getElementById('header-error').classList.add('hidden');
                updateUI();
            } catch {
                document.getElementById('header-error').classList.remove('hidden');
            }
        });

        document.getElementById('payload-input').addEventListener('input', (e) => {
            try {
                state.payload = JSON.parse(e.target.value);
                document.getElementById('payload-error').classList.add('hidden');
                updateUI();
            } catch {
                document.getElementById('payload-error').classList.remove('hidden');
            }
        });

        // --- Actions ---
        function applyVulnerability() {
            state.header.alg = "none";
            state.signature = "";
            updateUI();
            showStatus("Insecure State Applied: alg: none", "text-amber-600");
        }

        function resetApp() {
            state.header = { alg: "HS256", typ: "JWT" };
            state.payload = { sub: "1234567890", name: "John Doe", iat: 1516239022 };
            state.signature = "signature_placeholder";
            updateUI();
            showStatus("Reset to Defaults", "text-green-600");
        }

        function copyToken() {
            const token = document.getElementById('full-token-text').innerText;
            navigator.clipboard.writeText(token);
            showStatus("Token Copied to Clipboard!", "text-indigo-600");
        }

        function showStatus(msg, colorClass) {
            const sb = document.getElementById('status-bar');
            sb.className = `text-sm font-medium ${colorClass} flex items-center`;
            sb.innerHTML = `<i data-lucide="info" class="w-4 h-4 mr-2"></i> ${msg}`;
            lucide.createIcons();
            setTimeout(() => {
                sb.className = "text-sm font-medium text-slate-600 flex items-center";
                sb.innerHTML = `<i data-lucide="check-circle-2" class="w-4 h-4 mr-2 text-green-500"></i> Ready`;
                lucide.createIcons();
            }, 3000);
        }

        // --- Init ---
        function init() {
            lucide.createIcons();
            updateUI();
        }

        window.onload = init;
    </script>
</body>
</html>