diff --git a/Gemfile b/Gemfile
index 8bff15c..d501f7a 100644
--- a/Gemfile
+++ b/Gemfile
@@ -10,6 +10,7 @@ gem 'haml', '~> 3.2.0.alpha'
 gem 'http_accept_language'
 gem 'pg'
 gem 'rails_admin'
+gem 'strong_parameters'
 gem 'validates_formatting_of'
 
 platforms :ruby_18 do
diff --git a/Gemfile.lock b/Gemfile.lock
index 5a9d915..13b4e07 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -142,6 +142,10 @@ GEM
       rack (~> 1.0)
       tilt (~> 1.1, != 1.3.0)
     sqlite3 (1.3.6)
+    strong_parameters (0.1.5)
+      actionpack (~> 3.1)
+      activemodel (~> 3.1)
+      railties (~> 3.1)
     thor (0.16.0)
     tilt (1.3.3)
     treetop (1.4.12)
@@ -176,6 +180,7 @@ DEPENDENCIES
   sass-rails
   simplecov
   sqlite3
+  strong_parameters
   uglifier
   validates_formatting_of
   webmock
diff --git a/app/controllers/passwords_controller.rb b/app/controllers/passwords_controller.rb
index b341eeb..80191a7 100644
--- a/app/controllers/passwords_controller.rb
+++ b/app/controllers/passwords_controller.rb
@@ -18,4 +18,10 @@ class PasswordsController < Devise::PasswordsController
     self.resource = resource_class.reset_password_by_token(resource_params)
     redirect_to(controller: "main", action: "index")
   end
+
+private
+
+  def resource_params
+    params.require(:user).permit(:email, :password, :password_confirmation, :reset_password_token)
+  end
 end
diff --git a/app/controllers/reminders_controller.rb b/app/controllers/reminders_controller.rb
index 24ad275..acfa5ed 100644
--- a/app/controllers/reminders_controller.rb
+++ b/app/controllers/reminders_controller.rb
@@ -2,7 +2,7 @@ class RemindersController < ApplicationController
   respond_to :json
 
   def create
-    @reminder = Reminder.new(params[:reminder])
+    @reminder = Reminder.new(reminder_params)
     @reminder.from_user = current_user
     if @reminder.save
       ThingMailer.reminder(@reminder.thing).deliver
@@ -12,4 +12,10 @@ class RemindersController < ApplicationController
       render(json: {errors: @reminder.errors}, status: 500)
     end
   end
+
+private
+
+  def reminder_params
+    params.require(:reminder).permit(:thing_id, :to_user_id)
+  end
 end
diff --git a/app/controllers/things_controller.rb b/app/controllers/things_controller.rb
index 0063b39..f6680ae 100644
--- a/app/controllers/things_controller.rb
+++ b/app/controllers/things_controller.rb
@@ -12,10 +12,16 @@ class ThingsController < ApplicationController
 
   def update
     @thing = Thing.find(params[:id])
-    if @thing.update_attributes(params[:thing])
+    if @thing.update_attributes(thing_params)
       respond_with @thing
     else
       render(json: {errors: @thing.errors}, status: 500)
     end
   end
+
+  private
+
+  def thing_params
+    params.require(:thing).permit(:name, :user_id)
+  end
 end
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 81eebc1..237187b 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -24,4 +24,14 @@ class UsersController < Devise::RegistrationsController
       render(json: {errors: resource.errors}, status: 500)
     end
   end
+
+private
+
+  def resource_params
+    params.require(:user).permit(:address_1, :address_2, :city,
+                                 :current_password, :email, :name,
+                                 :organization, :password,
+                                 :password_confirmation, :remember_me,
+                                 :sms_number, :state, :voice_number, :zip)
+  end
 end
diff --git a/app/models/reminder.rb b/app/models/reminder.rb
index 044f0e1..543ffa2 100644
--- a/app/models/reminder.rb
+++ b/app/models/reminder.rb
@@ -1,5 +1,5 @@
 class Reminder < ActiveRecord::Base
-  attr_accessible :thing_id, :to_user_id
+  include ActiveModel::ForbiddenAttributesProtection
   validates_presence_of :from_user, :to_user, :thing
   belongs_to :from_user, class_name: "User"
   belongs_to :to_user, class_name: "User"
diff --git a/app/models/thing.rb b/app/models/thing.rb
index 8e200df..12782bb 100644
--- a/app/models/thing.rb
+++ b/app/models/thing.rb
@@ -1,6 +1,6 @@
 class Thing < ActiveRecord::Base
+  include ActiveModel::ForbiddenAttributesProtection
   include Geokit::Geocoders
-  attr_accessible :name, :user_id
   validates_uniqueness_of :city_id, allow_nil: true
   validates_presence_of :lat, :lng
   belongs_to :user
diff --git a/app/models/user.rb b/app/models/user.rb
index 8e82197..aa21768 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -1,12 +1,10 @@
 class User < ActiveRecord::Base
+  include ActiveModel::ForbiddenAttributesProtection
   # Include default devise modules. Others available are:
   # :token_authenticatable, :confirmable,
   # :lockable, :timeoutable and :omniauthable
   devise :database_authenticatable, :registerable, :recoverable, :rememberable,
     :trackable, :validatable
-  attr_accessible :address_1, :address_2, :city, :email, :name, :organization,
-    :password, :password_confirmation, :remember_me, :sms_number, :state,
-    :voice_number, :zip
   validates_formatting_of :email, using: :email
   validates_formatting_of :sms_number, using: :us_phone, allow_blank: true
   validates_formatting_of :voice_number, using: :us_phone, allow_blank: true
diff --git a/config/application.rb b/config/application.rb
index d8af986..0f224c2 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -51,7 +51,7 @@ module AdoptAThing
     # This will create an empty whitelist of attributes available for mass-assignment for all models
     # in your app. As such, your models will need to explicitly whitelist or blacklist accessible
     # parameters by using an attr_accessible or attr_protected declaration.
-    config.active_record.whitelist_attributes = true
+    # config.active_record.whitelist_attributes = true
 
     # Enable the asset pipeline
     config.assets.enabled = true