diff --git a/app/controllers/aspects_controller.rb b/app/controllers/aspects_controller.rb
index 3a988b3e2..9ba5cf702 100644
--- a/app/controllers/aspects_controller.rb
+++ b/app/controllers/aspects_controller.rb
@@ -10,7 +10,7 @@ class AspectsController < ApplicationController
              :json
 
   def create
-    @aspect = current_user.aspects.build(params[:aspect])
+    @aspect = current_user.aspects.build(aspect_params)
     aspecting_person_id = params[:aspect][:person_id]
 
     if @aspect.save
@@ -92,7 +92,7 @@ class AspectsController < ApplicationController
   def update
     @aspect = current_user.aspects.where(:id => params[:id]).first
 
-    if @aspect.update_attributes!(params[:aspect])
+    if @aspect.update_attributes!(aspect_params)
       flash[:notice] = I18n.t 'aspects.update.success', :name => @aspect.name
     else
       flash[:error] = I18n.t 'aspects.update.failure', :name => @aspect.name
@@ -121,4 +121,8 @@ class AspectsController < ApplicationController
       @contact = current_user.share_with(@person, @aspect)
     end
   end
+
+  def aspect_params
+    params.require(:aspect).permit(:name, :contacts_visible, :order_id)
+  end
 end
diff --git a/app/models/aspect.rb b/app/models/aspect.rb
index a1241b5d6..ef7e49ae4 100644
--- a/app/models/aspect.rb
+++ b/app/models/aspect.rb
@@ -3,6 +3,8 @@
 #   the COPYRIGHT file.
 
 class Aspect < ActiveRecord::Base
+  include ActiveModel::ForbiddenAttributesProtection
+  
   belongs_to :user
 
   has_many :aspect_memberships, :dependent => :destroy
@@ -16,8 +18,6 @@ class Aspect < ActiveRecord::Base
 
   validates_uniqueness_of :name, :scope => :user_id, :case_sensitive => false
 
-  attr_accessible :name, :contacts_visible, :order_id
-
   before_validation do
     name.strip!
   end
diff --git a/spec/controllers/aspects_controller_spec.rb b/spec/controllers/aspects_controller_spec.rb
index 1e68047e3..8da2b2554 100644
--- a/spec/controllers/aspects_controller_spec.rb
+++ b/spec/controllers/aspects_controller_spec.rb
@@ -47,6 +47,30 @@ describe AspectsController do
   end
 
   describe "#create" do
+    context "strong parameters" do
+      it "permits 'name', 'contacts_visible' and 'order_id'" do
+        post :create, "aspect" => {
+          "name" => "new aspect",
+          "contacts_visible" => true,
+          "order_id" => 1
+        }
+        aspect = alice.aspects.last
+        aspect.name.should eq("new aspect")
+        aspect.contacts_visible.should eq(true)
+        aspect.order_id.should eq(1)
+      end
+      
+      it "forbids other params" do
+        post :create, "aspect" => {
+          "name" => "new aspect",
+          "user_id" => 123
+        }
+        aspect = Aspect.last
+        aspect.name.should eq("new aspect")
+        aspect.user_id.should_not eq(123)
+      end
+    end
+
     context "with valid params" do
       it "creates an aspect" do
         alice.aspects.count.should == 2
@@ -97,6 +121,30 @@ describe AspectsController do
       @alices_aspect_1 = alice.aspects.create(:name => "Bruisers")
     end
 
+    context "strong parameters" do
+      it "permits 'name', 'contacts_visible' and 'order_id'" do
+        put 'update', :id => @alices_aspect_1.id, "aspect" => {
+          "name" => "new aspect",
+          "contacts_visible" => true,
+          "order_id" => 1
+        }
+        aspect = Aspect.find(@alices_aspect_1.id)
+        aspect.name.should eq("new aspect")
+        aspect.contacts_visible.should eq(true)
+        aspect.order_id.should eq(1)
+      end
+      
+      it "forbids other params" do
+        put :update, :id => @alices_aspect_1.id, "aspect" => {
+          "name" => "new aspect",
+          "user_id" => 123
+        }
+        aspect = Aspect.find(@alices_aspect_1.id)
+        aspect.name.should eq("new aspect")
+        aspect.user_id.should_not eq(123)
+      end
+    end
+    
     it "doesn't overwrite random attributes" do
       new_user = FactoryGirl.create :user
       params = {"name" => "Bruisers"}