diff --git a/app/controllers/settings/aliases_controller.rb b/app/controllers/settings/aliases_controller.rb
index a421b8ede3..c21d43eeb3 100644
--- a/app/controllers/settings/aliases_controller.rb
+++ b/app/controllers/settings/aliases_controller.rb
@@ -30,7 +30,7 @@ class Settings::AliasesController < Settings::BaseController
   private
 
   def resource_params
-    params.require(:account_alias).permit(:acct)
+    params.expect(account_alias: [:acct])
   end
 
   def set_alias
diff --git a/app/controllers/settings/deletes_controller.rb b/app/controllers/settings/deletes_controller.rb
index 16c201b6b3..815d95ad83 100644
--- a/app/controllers/settings/deletes_controller.rb
+++ b/app/controllers/settings/deletes_controller.rb
@@ -21,7 +21,7 @@ class Settings::DeletesController < Settings::BaseController
   private
 
   def resource_params
-    params.require(:form_delete_confirmation).permit(:password, :username)
+    params.expect(form_delete_confirmation: [:password, :username])
   end
 
   def require_not_suspended!
diff --git a/app/controllers/settings/featured_tags_controller.rb b/app/controllers/settings/featured_tags_controller.rb
index 7e29dd1d29..0f352e1913 100644
--- a/app/controllers/settings/featured_tags_controller.rb
+++ b/app/controllers/settings/featured_tags_controller.rb
@@ -44,6 +44,6 @@ class Settings::FeaturedTagsController < Settings::BaseController
   end
 
   def featured_tag_params
-    params.require(:featured_tag).permit(:name)
+    params.expect(featured_tag: [:name])
   end
 end
diff --git a/app/controllers/settings/imports_controller.rb b/app/controllers/settings/imports_controller.rb
index 5346a448a3..be1699315f 100644
--- a/app/controllers/settings/imports_controller.rb
+++ b/app/controllers/settings/imports_controller.rb
@@ -90,7 +90,7 @@ class Settings::ImportsController < Settings::BaseController
   private
 
   def import_params
-    params.require(:form_import).permit(:data, :type, :mode)
+    params.expect(form_import: [:data, :type, :mode])
   end
 
   def set_bulk_import
diff --git a/app/controllers/settings/migration/redirects_controller.rb b/app/controllers/settings/migration/redirects_controller.rb
index 6d469f3842..d850e05e94 100644
--- a/app/controllers/settings/migration/redirects_controller.rb
+++ b/app/controllers/settings/migration/redirects_controller.rb
@@ -33,6 +33,6 @@ class Settings::Migration::RedirectsController < Settings::BaseController
   private
 
   def resource_params
-    params.require(:form_redirect).permit(:acct, :current_password, :current_username)
+    params.expect(form_redirect: [:acct, :current_password, :current_username])
   end
 end
diff --git a/app/controllers/settings/migrations_controller.rb b/app/controllers/settings/migrations_controller.rb
index 62603aba81..92e3611fd9 100644
--- a/app/controllers/settings/migrations_controller.rb
+++ b/app/controllers/settings/migrations_controller.rb
@@ -27,7 +27,7 @@ class Settings::MigrationsController < Settings::BaseController
   private
 
   def resource_params
-    params.require(:account_migration).permit(:acct, :current_password, :current_username)
+    params.expect(account_migration: [:acct, :current_password, :current_username])
   end
 
   def set_migrations
diff --git a/app/controllers/settings/privacy_controller.rb b/app/controllers/settings/privacy_controller.rb
index 1102c89fad..a5bb3b884f 100644
--- a/app/controllers/settings/privacy_controller.rb
+++ b/app/controllers/settings/privacy_controller.rb
@@ -18,7 +18,7 @@ class Settings::PrivacyController < Settings::BaseController
   private
 
   def account_params
-    params.require(:account).permit(:discoverable, :unlocked, :indexable, :show_collections, settings: UserSettings.keys)
+    params.expect(account: [:discoverable, :unlocked, :indexable, :show_collections, settings: UserSettings.keys])
   end
 
   def set_account
diff --git a/app/controllers/settings/profiles_controller.rb b/app/controllers/settings/profiles_controller.rb
index 8ae69b7fe0..2d80998968 100644
--- a/app/controllers/settings/profiles_controller.rb
+++ b/app/controllers/settings/profiles_controller.rb
@@ -20,7 +20,7 @@ class Settings::ProfilesController < Settings::BaseController
   private
 
   def account_params
-    params.require(:account).permit(:display_name, :note, :avatar, :header, :bot, fields_attributes: [:name, :value])
+    params.expect(account: [:display_name, :note, :avatar, :header, :bot, fields_attributes: [:name, :value]])
   end
 
   def set_account
diff --git a/spec/requests/settings/aliases_spec.rb b/spec/requests/settings/aliases_spec.rb
new file mode 100644
index 0000000000..6d905aa4c6
--- /dev/null
+++ b/spec/requests/settings/aliases_spec.rb
@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Settings Aliases' do
+  describe 'POST /settings/aliases' do
+    before { sign_in Fabricate(:user) }
+
+    it 'gracefully handles invalid nested params' do
+      post settings_aliases_path(account_alias: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+end
diff --git a/spec/requests/settings/deletes_spec.rb b/spec/requests/settings/deletes_spec.rb
new file mode 100644
index 0000000000..4563f639d5
--- /dev/null
+++ b/spec/requests/settings/deletes_spec.rb
@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Settings Deletes' do
+  describe 'DELETE /settings/delete' do
+    before { sign_in Fabricate(:user) }
+
+    it 'gracefully handles invalid nested params' do
+      delete settings_delete_path(form_delete_confirmation: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+end
diff --git a/spec/requests/settings/featured_tags_spec.rb b/spec/requests/settings/featured_tags_spec.rb
new file mode 100644
index 0000000000..2c7f907e80
--- /dev/null
+++ b/spec/requests/settings/featured_tags_spec.rb
@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Settings Aliases' do
+  describe 'POST /settings/featured_tags' do
+    before { sign_in Fabricate(:user) }
+
+    it 'gracefully handles invalid nested params' do
+      post settings_featured_tags_path(featured_tag: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+end
diff --git a/spec/requests/settings/imports_spec.rb b/spec/requests/settings/imports_spec.rb
new file mode 100644
index 0000000000..e2051e015f
--- /dev/null
+++ b/spec/requests/settings/imports_spec.rb
@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Settings Imports' do
+  describe 'POST /settings/imports' do
+    before { sign_in Fabricate(:user) }
+
+    it 'gracefully handles invalid nested params' do
+      post settings_imports_path(form_import: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+end
diff --git a/spec/requests/settings/migration/redirects_spec.rb b/spec/requests/settings/migration/redirects_spec.rb
new file mode 100644
index 0000000000..f417fbb0b2
--- /dev/null
+++ b/spec/requests/settings/migration/redirects_spec.rb
@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Settings Migration Redirects' do
+  describe 'POST /settings/migration/redirect' do
+    before { sign_in Fabricate(:user) }
+
+    it 'gracefully handles invalid nested params' do
+      post settings_migration_redirect_path(form_redirect: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+end
diff --git a/spec/requests/settings/migrations_spec.rb b/spec/requests/settings/migrations_spec.rb
index 4103d6b320..0aca7fde5b 100644
--- a/spec/requests/settings/migrations_spec.rb
+++ b/spec/requests/settings/migrations_spec.rb
@@ -18,4 +18,15 @@ RSpec.describe 'Settings Migrations' do
       it { is_expected.to redirect_to new_user_session_path }
     end
   end
+
+  context 'when user is signed in' do
+    before { sign_in Fabricate(:user) }
+
+    it 'gracefully handles invalid nested params' do
+      post settings_migration_path(account_migration: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
 end
diff --git a/spec/requests/settings/privacy_spec.rb b/spec/requests/settings/privacy_spec.rb
new file mode 100644
index 0000000000..d02b534b74
--- /dev/null
+++ b/spec/requests/settings/privacy_spec.rb
@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Settings Privacy' do
+  describe 'PUT /settings/privacy' do
+    before { sign_in Fabricate(:user) }
+
+    it 'gracefully handles invalid nested params' do
+      put settings_privacy_path(account: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+end
diff --git a/spec/requests/settings/profiles_spec.rb b/spec/requests/settings/profiles_spec.rb
new file mode 100644
index 0000000000..a19f321f14
--- /dev/null
+++ b/spec/requests/settings/profiles_spec.rb
@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Settings Profiles' do
+  describe 'PUT /settings/profile' do
+    before { sign_in Fabricate(:user) }
+
+    it 'gracefully handles invalid nested params' do
+      put settings_profile_path(account: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+end