I suggest this approach: you leave strong params enabled by default, and you disable it specifically for the controllers that don't need it. (yes strong param is in controllers now with Rails 4, not in models anymore)
To disable for specific controller you can use params.require(:model_name).permit!
That will allow any params for that specific controller
Example
class UnsafeController
...
def update
...
@unsafe.update unsafe_params
...
end
private
def unsafe_params
params.require(:unsafe).permit!
end
end