diff --git a/app/controllers/admin/subscription_line_items_controller.rb b/app/controllers/admin/subscription_line_items_controller.rb
index a87ddebe45..27ec3611a1 100644
--- a/app/controllers/admin/subscription_line_items_controller.rb
+++ b/app/controllers/admin/subscription_line_items_controller.rb
@@ -11,7 +11,7 @@ module Admin
     respond_to :json
 
     def build
-      @subscription_line_item.assign_attributes(params[:subscription_line_item])
+      @subscription_line_item.assign_attributes(subscription_line_item_params)
       @subscription_line_item.price_estimate = price_estimate
       render json: @subscription_line_item, serializer: Api::Admin::SubscriptionLineItemSerializer,
              shop: @shop, schedule: @schedule
@@ -27,7 +27,7 @@ module Admin
       @shop = Enterprise.managed_by(spree_current_user).find_by(id: params[:shop_id])
       @schedule = permissions.editable_schedules.find_by(id: params[:schedule_id])
       @order_cycle = @schedule.andand.current_or_next_order_cycle
-      @variant = variant_if_eligible(params[:subscription_line_item][:variant_id]) if @shop.present?
+      @variant = variant_if_eligible(subscription_line_item_params[:variant_id]) if @shop.present?
     end
 
     def new_actions
@@ -58,5 +58,9 @@ module Admin
     def variant_if_eligible(variant_id)
       SubscriptionVariantsService.eligible_variants(@shop).find_by(id: variant_id)
     end
+
+    def subscription_line_item_params
+      params.require(:subscription_line_item).permit(:quantity, :variant_id)
+    end
   end
 end
diff --git a/app/controllers/admin/subscriptions_controller.rb b/app/controllers/admin/subscriptions_controller.rb
index da99409469..4561ef3a79 100644
--- a/app/controllers/admin/subscriptions_controller.rb
+++ b/app/controllers/admin/subscriptions_controller.rb
@@ -65,7 +65,7 @@ module Admin
     private
 
     def save_form_and_render(render_issues = true)
-      form = SubscriptionForm.new(@subscription, params[:subscription])
+      form = SubscriptionForm.new(@subscription, subscription_params)
       unless form.save
         render json: { errors: form.json_errors }, status: :unprocessable_entity
         return
@@ -149,11 +149,15 @@ module Admin
     # Overriding Spree method to load data from params here so that
     # we can authorise #create using an object with required attributes
     def build_resource
-      Subscription.new(params[:subscription])
+      Subscription.new(subscription_params)
     end
 
     def ams_prefix_whitelist
       [:index]
     end
+
+    def subscription_params
+      PermittedAttributes::Subscription.new(params).call
+    end
   end
 end
diff --git a/app/services/permitted_attributes/subscription.rb b/app/services/permitted_attributes/subscription.rb
new file mode 100644
index 0000000000..2ab3956fca
--- /dev/null
+++ b/app/services/permitted_attributes/subscription.rb
@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module PermittedAttributes
+  class Subscription
+    def initialize(params)
+      @params = params
+    end
+
+    def call
+      return @params[:subscription] if @params[:subscription].empty?
+
+      @params.require(:subscription).permit(basic_permitted_attributes + other_permitted_attributes)
+    end
+
+    private
+
+    def basic_permitted_attributes
+      [
+        :id, :shop_id, :schedule_id, :customer_id,
+        :payment_method_id, :shipping_method_id,
+        :begins_at, :ends_at,
+        :canceled_at, :paused_at,
+        :shipping_fee_estimate, :payment_fee_estimate,
+      ]
+    end
+
+    def other_permitted_attributes
+      [
+        subscription_line_items_attributes: [
+          :id, :quantity, :variant_id, :price_estimate, :_destroy
+        ],
+        bill_address_attributes: PermittedAttributes::Address.attributes,
+        ship_address_attributes: PermittedAttributes::Address.attributes
+      ]
+    end
+  end
+end
diff --git a/app/services/subscription_form.rb b/app/services/subscription_form.rb
index da82063b5c..0458467fb5 100644
--- a/app/services/subscription_form.rb
+++ b/app/services/subscription_form.rb
@@ -1,21 +1,21 @@
 require 'open_food_network/proxy_order_syncer'
 
 class SubscriptionForm
-  attr_accessor :subscription, :params, :order_update_issues, :validator, :order_syncer, :estimator
+  attr_accessor :subscription, :subscription_params, :order_update_issues, :validator, :order_syncer, :estimator
 
   delegate :json_errors, :valid?, to: :validator
   delegate :order_update_issues, to: :order_syncer
 
-  def initialize(subscription, params = {})
+  def initialize(subscription, subscription_params = {})
     @subscription = subscription
-    @params = params
+    @subscription_params = subscription_params
     @estimator = SubscriptionEstimator.new(subscription)
     @validator = SubscriptionValidator.new(subscription)
     @order_syncer = OrderSyncer.new(subscription)
   end
 
   def save
-    subscription.assign_attributes(params)
+    subscription.assign_attributes(subscription_params)
     return false unless valid?
 
     subscription.transaction do