diff --git a/Gemfile.d/other_stuff.rb b/Gemfile.d/other_stuff.rb
index 781f55658b8..b47a3ebfa51 100644
--- a/Gemfile.d/other_stuff.rb
+++ b/Gemfile.d/other_stuff.rb
@@ -5,6 +5,7 @@ if CANVAS_RAILS3
   gem 'builder', '3.0.0'
   gem 'tzinfo', '0.3.39'
   gem 'routing_concerns', '0.1.0'
+  gem 'strong_parameters', '0.2.3'
 else
   gem 'rails', '4.0.10'
   gem 'rack', '1.5.2'
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index ba4a21fc2bc..3cd6fcb5448 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -1044,6 +1044,8 @@ class ApplicationController < ActionController::Base
     when AuthenticationMethods::AccessTokenError
       add_www_authenticate_header
       data = { errors: [{message: 'Invalid access token.'}] }
+    when ActionController::ParameterMissing
+      data = { errors: [{message: "#{exception.param} is missing"}] }
     else
       if status_code.is_a?(Symbol)
         status_code_string = status_code.to_s
diff --git a/config/application.rb b/config/application.rb
index cd3b9a92be5..95dc369d358 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -28,6 +28,9 @@ module CanvasRails
     config.filter_parameters.concat LoggingFilter.filtered_parameters
     config.action_dispatch.rescue_responses['AuthenticationMethods::AccessTokenError'] = 401
     config.action_dispatch.rescue_responses['AuthenticationMethods::LoggedOutError'] = 401
+    if CANVAS_RAILS3
+      config.action_dispatch.rescue_responses['ActionController::ParameterMissing'] = 400
+    end
 
     config.app_generators do |c|
       c.test_framework :rspec
diff --git a/config/initializers/strong_parameters.rb b/config/initializers/strong_parameters.rb
new file mode 100644
index 00000000000..9d8c3b1a2b0
--- /dev/null
+++ b/config/initializers/strong_parameters.rb
@@ -0,0 +1,34 @@
+# default to *non* strong parameters
+ActionController::Base.class_eval do
+  def params
+    @_params ||= request.parameters
+  end
+
+  def strong_params
+    @_strong_params ||= ActionController::Parameters.new(request.parameters)
+  end
+
+  def params=(val)
+    @_strong_params = val.is_a?(Hash) ? ActionController::Parameters.new(val) : val
+    @_params = val
+  end
+end
+
+# completely ignore attr_accessible if it's a strong parameters
+module ForbiddenAttributesProtectionWithoutAttrAccessible
+  def sanitize_for_mass_assignment(*options)
+    new_attributes = options.first
+    if new_attributes.respond_to?(:permitted?)
+      raise ActiveModel::ForbiddenAttributes unless new_attributes.permitted?
+      new_attributes
+    else
+      super
+    end
+  end
+end
+
+ActiveRecord::Base.send(:include, ForbiddenAttributesProtectionWithoutAttrAccessible)
+
+ActionController::ParameterMissing.class_eval do
+  def skip_error_report?; true; end
+end