I do not understand how https is used on the store. It looks like it does not enter https when logging in. Also after requesting reset password link, the site seems to go into some sort of https mode, where it runs into CORS errors.
Could we reproduce this problem on default storefront theme?
I will try to install a default instance of VC and test it there during the weekend.
Is there any guidance on how to set the whole site into using htts permanently?
Nothing special, our site https://virtocommerce.com running on latest storefront version without any problems.