Rather than a forced redirection to https in the htaccess file, the plan was to do the redirection in the host conf file, which is what we did with other websites. With one other website though we got an infinite loop thing happening, which is what I'm afraid of with CS-Cart. I would like CS-Cart to be able to cope with https when entered into the browser command line before we attempted a forced redirect. At the moment, if you type https, it simply reverts to http, so a forced redirect might end up in an infinite loop. The admin is fine, which makes me think it's something in the CS-Cart code..
Where can I find config.local.php?
Yes, I might have to get someone to review the code.