diff --git a/app/controllers/api/shipments_controller.rb b/app/controllers/api/shipments_controller.rb
index b92ee1eb655..69f4b7d037a 100644
--- a/app/controllers/api/shipments_controller.rb
+++ b/app/controllers/api/shipments_controller.rb
@@ -30,7 +30,7 @@ def update
         @shipment.adjustment.open
       end
 
-      @shipment.update(params[:shipment])
+      @shipment.update(shipment_params[:shipment])
 
       if unlock == 'yes'
         @shipment.adjustment.close
@@ -88,7 +88,7 @@ def find_order
 
     def find_and_update_shipment
       @shipment = @order.shipments.find_by!(number: params[:id])
-      @shipment.update(params[:shipment]) if params[:shipment].present?
+      @shipment.update(shipment_params[:shipment]) if shipment_params[:shipment].present?
       @shipment.reload
     end
 
@@ -101,5 +101,12 @@ def scoped_variant(variant_id)
     def get_or_create_shipment(stock_location_id)
       @order.shipment || @order.shipments.create(stock_location_id: stock_location_id)
     end
+
+    def shipment_params
+      params.permit(
+        [:id, :order_id, :variant_id, :quantity,
+         { shipment: [:tracking, :selected_shipping_rate_id] }]
+      )
+    end
   end
 end