Force HTTPS on all pages in the frontend, not just Checkout/Account
The default answer is, set the unsecure base url to https:// depending on your setup this already is enough for a redirect if users try to use http://
Maybe a redirect on webserver level is better, as it avoids requests going through php first.
And if you want the real perfectly secure solution, you should add your website on https://hstspreload.appspot.com/ . But careful with this, if you need to change your certificate, this can cause big problems. Let your Hoster care about this Part.
you can do this with .htaccess in apache. Use these lines:
############################ Force SSL ############################
RewriteCond %{HTTP_HOST} !^localhost$
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
############################ Force SSL ############################
For anyone stumbling across this (like I did)
Don't use htaccess. Under admin go Stores -> General -> Web and change -> Use Secure URLs on Storefront -> Yes and Use Secure URLs in Admin -> Yes
There's no need to edit any files.