diff --git a/lib/searchkick/relation.rb b/lib/searchkick/relation.rb
index 8723a86..bbc80a4 100644
--- a/lib/searchkick/relation.rb
+++ b/lib/searchkick/relation.rb
@@ -29,6 +29,8 @@ module Searchkick
     end
 
     def where!(opts)
+      opts = sanitize_opts(opts)
+
       if options[:where]
         options[:where] = [{_and: [options[:where], opts]}]
       else
@@ -55,6 +57,15 @@ module Searchkick
 
     private
 
+    def sanitize_opts(attributes)
+      if attributes.respond_to?(:permitted?)
+        raise ActiveModel::ForbiddenAttributesError if !attributes.permitted?
+        attributes.to_h
+      else
+        attributes
+      end
+    end
+
     def execute
       Query.new(klass, term, options).execute
     end
diff --git a/test/relation_test.rb b/test/relation_test.rb
index 31e019f..fa54667 100644
--- a/test/relation_test.rb
+++ b/test/relation_test.rb
@@ -3,11 +3,25 @@ require_relative "test_helper"
 class RelationTest < Minitest::Test
   def test_works
     store_names ["Product A", "Product B"]
-    p Product.search("product", relation: true).where(name: "Product A").limit(1)
+    relation = Product.search("product", relation: true).where(name: "Product A").limit(1)
+    assert_equal ["Product A"], relation.map(&:name)
   end
 
   def test_no_term
     store_names ["Product A"]
-    p Product.search(relation: true)
+    assert_equal ["Product A"], Product.search(relation: true).map(&:name)
+  end
+
+  def test_parameters
+    skip unless defined?(ActiveRecord)
+    require "action_controller"
+
+    params = ActionController::Parameters.new({store_id: 1})
+    assert_raises(ActiveModel::ForbiddenAttributesError) do
+      Product.where(params)
+    end
+    assert_raises(ActiveModel::ForbiddenAttributesError) do
+      Product.search(relation: true).where(params)
+    end
   end
 end
--
libgit2 0.21.0