The behaviour is as follows:
Handling of Unpermitted Keys
By default parameter keys that are not explicitly permitted will be
logged in the development and test environment. In other environments
these parameters will simply be filtered out and ignored.Additionally, this behaviour can be changed by changing the
config.action_controller.action_on_unpermitted_parameters property in
your environment files. If set to :log the unpermitted attributes will
be logged, if set to :raise an exception will be raised.
(source)
I would suggest rescuing from this exception with 400 status (Bad Request):
rescue_from ActionController::ParameterMissing do
render :nothing => true, :status => :bad_request
end